Hi,
I currently use elasticsearch oss + searchguard (for securing elk stack).
I intend to upgrade my cluster to opendistro in order to use the features available here.
We already have certain security configurations in-place like users, roles etc created & stored in searchguard index.
Is there a way I can migrate this data to opendistro_security index without having to re-create the users?
A potential way I see is -
Backup the contents of searchguard index as yaml files before upgrade.
Use the same yaml files to run securityadmin.sh in opendistro after upgrade.
– But the problem I see with this approach is -
The names of static (built-in) roles and action groups differ in searchguard and opendistro_security.
For Ex. Opendistro
all_access:
reserved: true
hidden: false
static: true
description: "Allow full access to all indices and all cluster APIs"
cluster_permissions:
- "*"
index_permissions:
- index_patterns:
- "*"
allowed_action
and Searchguard
SGS_ALL_ACCESS:
reserved: true
hidden: false
static: true
description: "Allow full access to all indices and all cluster APIs"
cluster_permissions:
- "*"
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "*"
In my configurations stored in searchguard index, in sg_roles_mapping_yml, we are mapping certain users to existing static SG roles. For ex.
_sg_meta:
type: "rolesmapping"
config_version: 2
SGS_ALL_ACCESS:
reserved: true
hidden: false
backend_roles:
- "admin"
users:
- "admin"
If I use such yamls from searchguard and run securityadmin.sh in opendistro, it won’t work as expected as opendistro does not identify a static role by this name.
Is there a way to resolve this and migrate to opendistro without having to rewrite all security configurations? Any pointers would be appreciated.
Thanks!