security: [BUG] Restoring snapshot: indices exclusion triggers security_exception (creating OK, listing OK)
Describe the bug I’m using the S3 repository plugin to store snapshots. I’ve have tested this previously with the same scripting, but now I can’t restore snapshots anymore. Don’t know the exact cause, two things have changed: I have moved to 1.2.4 and I have moved from SAML to openid. The calls for the snapshot create/restore/list/etc are still being done through basic auth.
The strange thing is, I can list all the snapshots, I can create snapshots, I just can’t restore them. I’m not including global state or the security index:
Error:
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "no permissions for [] and User [name=admin_XXXX, backend_roles=[admin], requestedTenant=null]"
}
],
"type": "security_exception",
"reason": "no permissions for [] and User [name=admin_XXXX, backend_roles=[admin], requestedTenant=null]"
},
"status": 403
}
Listing works:
Creating snapshot works:
Restoring fails:
all_access is mapped to the admin backend role:
Expected behavior Snapshot is restored
Plugins Default docker 1.2.4 plus s3 repo plugin Also tried default docker 1.1 plus s3 repo plugin
Screenshots If applicable, add screenshots to help explain your problem.
Host/Environment (please complete the following information): Docker 1.2.4 image on kubernetes
Additional context Add any other context about the problem here.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 3
- Comments: 57 (11 by maintainers)
Problem with that can be the upgrades, we imported suricata visualisations/dashboards into 1.x, worked fine. Restoring the same dashboards to 2.x through the dashboards api failed. Upgrading 1.x to 2.x would have saved them.
We would have liked to be able to back these up instead of doing another migration path or recreating them. A well functioning backup/restore is a must have in my opinion, you need to be able to do disaster recovery fast.
@peternied @scrawfor99 I left a comment on the PR in core. The backport label was not added to the PR so it was not backported and released in 2.6.0. The soonest it will be released is 2.7.0.
@peternied, I opened a PR in the security codebase to add a test which will check that the behavior is consistent during the SnapshotRestore operation. So once this gets merged everything should be set and this issue will be double covered with new testing in core and security.
Opened a PR to resolve the issue: https://github.com/opensearch-project/OpenSearch/pull/5626
nice thank you!
If we can I’d recommend we test in scenarios that most closely reflect what customers encounter, I’d hate for another change in core to go in that seems innocuous but it breaks snapshot restore via the security plugin