No permissions for Snapshot

OpenSearch
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue: After taking the snapshot of indices and when we tried to restore the snapshot of indices, im getting error as below

{
“error” : {
“root_cause” : [
{
“type” : “security_exception”,
“reason” : “no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]”
}
],
“type” : “security_exception”,
“reason” : “no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]”
},
“status” : 403
}

Configuration: POST /_snapshot/my-fs-repository/wazuh_snapshot/_restore

Relevant Logs or Screenshots:

image
image1359×497 21.7 KB

1 Like
2

@shivag If you took the snapshot with the global state than you must use admin certificate to restore the snapshot as the snapshot will also contain security plugin index.

3

I have not included the global state. still I am facing the issue.

Command used for taking snapshot:

curl -XPUT -k -u admin:opensearch123 "https://192.168.0.28:9200/_snapshot/snapshot_repository/latest_snapshot" -H "Content-Type: application/json" -d '
{
  "ignore_unavailable": true,
  "include_global_state": false,
  "partial": false
}
'

Command for restoring snapshot in same cluster:

curl -XPOST -k -u admin:opensearch123 "https://192.168.0.28:9200/_snapshot/snapshot_repository/latest_snapshot/_restore" -H "Content-Type: application/json" -d '
{
  "ignore_unavailable": true,
  "include_global_state": false,
  "include_aliases": false,
  "partial": false
}
'

Below is the error I am facing:

{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"},
4

I have also tried following command but still error remains same:

curl -XPOST -k -u admin:opensearch123 "https://192.168.0.28:9200/_snapshot/snapshot_repository/latest_snapshot/_restore" -H "Content-Type: application/json" -d '
{
  "ignore_unavailable": true,
  "indices": "-.opendistro_security",
  "include_global_state": false,
  "include_aliases": false,
  "partial": false,
  "rename_pattern": "(security-auditlog-2024.05.30)",
  "rename_replacement": "security-auditlog-2024.05.30_restored"
}
'

 curl -XPOST -k -u admin:opensearch123 "https://192.168.0.28:9200/_snapshot/snapshot_repository/latest_snapshot/_restore" -H "Content-Type: application/json" --key "/opt/opensearch/config/certs/node1-key.pem" --cert "/opt/opensearch/config/certs/node1.pem" --cacert "/opt/opensearch/config/certs/root-ca.pem" -d '
{
  "ignore_unavailable": true,
  "indices": "-.opendistro_security",
  "include_global_state": false,
  "include_aliases": false,
  "partial": false,
  "rename_pattern": "(security-auditlog-2024.05.30)",
  "rename_replacement": "security-auditlog-2024.05.30_restored"
}
'

Facing below error:

{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"},"status":403}
5

Hey there, I am also facing the issue. I have not included global state, I have given all necessary permissions aswell. Please help me resolve this issue as soon as possible.

6

@Yuv Could you share your OpenSearch version?

7

I am using 2.18.0.

8

So I just happen to come across a new error, apparently I am able to restore individual index, but not all indices.

9

@Yuv What exactly are your backup and restore commands?

10

Backup CMD -

curl -sk -u "admin:dev@Pa&&w0rd" -X PUT "https://localhost:9200/_snapshot/my_backup_repo/all_indices_snapshot?wait_for_completion=true" -H 'Content-Type: application/json' -d'
{
  "indices": "_all",
  "include_global_state": false
}'

Successful, I can see the snapshot in my Snapshot Repo

Backup CMD -

curl -sk -u "admin:dev@Pa&&w0rd" -X POST "https://localhost:9200/_snapshot/my_backup_repo/all_indices_snapshot/_restore?wait_for_completion=true" -H 'Content-Type: application/json' -d'
{
  "indices": "_all",
  "include_global_state": false
}'

Output -

{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"},"status":403}
11

Hey? Is there anything wrong with my cmds?

12

@Yuv Both commands are fine if the backup doesn’t contain the .opendistro_security index.
As per documentation, you must use admin certs to restore snapshots containing the mentioned index or use a regular user with required permissions and exclude.opendistro_security index from the restore.

This is my working example.

curl -sk -u "pablo:VMware123!" -X POST "https://localhost:9200/_snapshot/my-repo/all_indices_snapshot1/_restore?wait_for_completion=true" -H 'Content-Type: application/json' -d'
{
  "indices": "-.opendistro_security",
  "include_global_state": false,
  "rename_replacement": "restored_index_$1",
  "rename_pattern": "(.+)"
}'

[opensearch@01ed6c801955 ~]$ curl --insecure -u pablo:Eliatra123! https://localhost:9200/_plugins/_security/authinfo?pretty                                {
  "user" : "User [name=pablo, backend_roles=[, snapshotrestore], requestedTenant=null]",
  "user_name" : "pablo",
  "user_requested_tenant" : null,
  "remote_address" : "[::1]:43104",
  "backend_roles" : [
    "",
    "snapshotrestore"
  ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "manage_snapshots",
    "own_index"
  ],
  "tenants" : {
    "pablo" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}
13

Got it! Thanks

1 Like
14

Let us know if you managed to get it working @Yuv !

15

Yes Got it Thanks :v:

1 Like