Opensearch S3 Snapshot restore not work

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

  • OS 3.0 3.1 3.2 2.19 (ALL tested)

Describe the issue:slight_smile:

# GET /_snapshot/os-test/test-index-snapshot
{
  "snapshots": [
    {
      "snapshot": "test-index-snapshot",
      "uuid": "5SpBcPToSq268rg9Vz_CAQ",
      "version_id": 137237827,
      "version": "3.2.0",
      "remote_store_index_shallow_copy": false,
      "indices": [
        "test-index"
      ],
      "data_streams": [],
      "include_global_state": false,
      "state": "SUCCESS",
      "start_time": "2025-09-24T09:03:01.749Z",
      "start_time_in_millis": 1758704581749,
      "end_time": "2025-09-24T09:05:33.204Z",
      "end_time_in_millis": 1758704733204,
      "duration_in_millis": 151455,
      "failures": [],
      "shards": {
        "total": 2,
        "failed": 0,
        "successful": 2
      }
    }
  ]
}

# restore
POST /_snapshot/os-test/test-index-snapshot/_restore
{
  "indices": "test-index"
}
{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"
      }
    ],
    "type": "security_exception",
    "reason": "no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"
  },
  "status": 403
}

# GET /_plugins/_security/api/account
{
  "user_name": "admin",
  "is_reserved": true,
  "is_hidden": false,
  "is_internal_user": true,
  "user_requested_tenant": null,
  "backend_roles": [
    "admin"
  ],
  "custom_attribute_names": [],
  "tenants": {
    "global_tenant": true,
    "admin": true
  },
  "roles": [
    "all_access"
  ]
}

# SecurityConfig
    admin:
      hash: "$2a$12$XXXXXXXX"
      reserved: true
      backend_roles:
      - "admin"
      description: "admin user"

  roles_mapping.yml: |-
    _meta:
      type: "rolesmapping"
      config_version: 2
    all_access:
      reserved: false
      backend_roles:
      - "admin"
      - "opendistro_security_anonymous_backendrole"
      description: "all_access mapping"
      users:
        - "write-user"

How to debug this ?

I don’t know how to solve the problem.

Please help me

Configuration:

Relevant Logs or Screenshots:

2

@jameskim I’m unable to reproduce the issue, can you provide the command used to create this snapshot?

3

Hi!

POST /_snapshot/os-test/test-index-snapshot/_restore
{
  "indices": "test-index"
}
{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"
      }
    ],
    "type": "security_exception",
    "reason": "no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"
  },
  "status": 403
}

How can i fix this ? Any hints ???

4 
# SecurityConfig
    admin:
      hash: "$2a$12$XXXXXXXX"
      reserved: true
      backend_roles:
      - "admin"
      description: "admin user"

  roles_mapping.yml: |-
    _meta:
      type: "rolesmapping"
      config_version: 2
    all_access:
      reserved: false
      backend_roles:
      - "admin"
      - "opendistro_security_anonymous_backendrole"
      description: "all_access mapping"
      users:
        - "write-user"

this is my security_config

5

@jameskim can you provide the command used to create the snapshot please.

Also, can you confirm if this user is able to restore/create any other snapshots?

Can you also try to restore using admin certificate and key, using curl, see example below:

curl --cacert config/root-ca.pem \
     --cert  config/kirk.pem \
     --key   config/kirk-key.pem \
     -H 'Content-Type: application/json' \
     -X POST 'https://localhost:9200/_snapshot/os-test/test-index-snapshot/_restore?wait_for_completion=true' \
     -d '{"indices":"test-index","include_global_state":false}'