Describe the issue:
Hi community!
Lets say I have a cluster with Dashboard configured users, roles and tenants. I want to:
save those configurations
change configurations e.g. add a reserved user in internal_users.yaml
execute the securityadmin.sh to apply those configurations
reapply the saved configurations which were overwritten by securityadmin.sh (but only the Dashboard configurations)
As I understand, it is only possible in snapshots to restore indizes and configurations.
Is there a way to backup those configurations efficiently and to restore them after the securitadmin.sh update?
The -backup function backs up all of the configurations though. Therefore, if I restore the backup, my changed configurations with the securityadmin.sh script will be overwritten as well.
I only want to backup users/roles etc. that will be deleted by running the script.
@zujiry If you’d like to use snapshots and securitydamin.sh, you should try to take a snapshot of all indices except .opendistro_security. Then restore of the indices won’t overwrite the security configuration stored in .opendistro_security index.
Hi pablo, with Dashboard Configurations I mean the creation of roles / tenants etc. in the Dashboards UI. As I understand, those are not saved to the config files, therefore are overwritten if you use the securityadmin.sh.
Are roles / tenants etc. saved in the opendistro_security index?
@zujiry The security configuration UI in OpenSearch Dashboards updates exactly the same security configuration as securityadmin.sh.
The trick is to decide how you want to manage that configuration. If you make the changes through OpenSearch Dashboards UI, the securityadmin.sh won’t be aware of that.
Every time when you’d like to use securityadmin.sh it is a good practice, as @jasonrojas mentioned, to use the backup option to save the current running configuration. Then make changes to the config files and upload the updated configuration back to the cluster.
@pablo sorry, for the late answer. The problem is, that I want a combination of them. I want to setup the configuration via security configuration and securityadmin.sh. But a customer should only access opensearch via UI and set their configuration according to their wishes.
If I want to add e.g. an LDAP connection via securityadmin.sh I overwrite all the configurations of the customer though. A backup does not solve that, as I understand, as that can only reset the configurations to a point before I added e.g. LDAP.
I need a solution for restoring the UI made configurations after I set new underlying “base” configurations via securityadmin.sh.
@zujiry Actually the backup solves the problem of overwriting the security configuration. You first take a backup with securityadmin.sh, then change the config (i.e. add LDAP configuration) and upload the updated config backup to the cluster with sercurityadmin.sh.
The only condition here is that the customer should not make any changes in security configuration at the same time as you do.
You decide to create a new reserved user using internal_users.yml.
You run securityadmin.sh again to load the new reserved user into the index.
You lose all ten users that you created using the REST API.
Therefore, if I dont want to lose all ten users, I have to backup the users somehow but I can only reupload the backup before changing the configurations therefore the backup is only to be able to go back to a state of Opensearch before editing the configurations - which does not solve my problem.
I will try your solution. Thank you very much!!
@zujiry Correct. The backup will create yaml files in the specified backup folder. If you won’t specify that folder, then /usr/share/opensearch/plugins/opensearch-security/securityconfig (version 1.x) or /usr/share/opensearch/config/secruity-config (version 2.x) will be your default folder.
Your procedure is missing a backup step between 2 and 3. That’s why uploading configuration with securityadmin.sh after making changes with REST API will overwrite all the REST API changes.