We have a use case to take backup of .opendistro_security index and are using below command to take backup of security index:
sh securityadmin.sh -backup /opensearch-backup/.securityconfig
This was working fine with OpenSearch v1.3.2. However, when we moved to OpenSearch v2.1.0 it is failing with below error:
securityadmin started
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755 **
**************************************************************************
Security Admin v7
Will connect to localhost:9200 ... done
Connected as "CN=admin"
OpenSearch Version: 2.1.0
Contacting opensearch cluster 'testos' and wait for YELLOW clusterstate ...
Clustername: testos
Clusterstate: GREEN
Number of nodes: 4
Number of data nodes: 2
.opendistro_security index already exists, so we do not need to create one.
Legacy index '.opendistro_security' (ES 6) detected (or forced). You should migrate the configuration!
Will retrieve '/config' into /opensearch-backup/.securityconfig/config.yml (legacy mode)
ERR: Seems config from cluster is not in legacy format: java.io.IOException: A version of 1 can not have a _meta key for CONFIG
Will retrieve '/roles' into /opensearch-backup/.securityconfig/roles.yml (legacy mode)
ERR: Seems roles from cluster is not in legacy format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "index_permissions" (class org.opensearch.security.securityconf.impl.v6.RoleV6), not marked as ignorable (5 known properties: "tenants", "readonly", "indices", "hidden", "cluster"])
at [Source: (String)"{"_meta":{"type":"roles","config_version":2},"kibana_read_only":{"reserved":false},"security_rest_api_access":{"reserved":false},"kibana_multitenancy_user":{"reserved":false,"hidden":false,"index_permissions":[{"index_patterns":[".kibana_*"],"allowed_actions":["manage","read","delete","index"]}],"tenant_permissions":[{"tenant_patterns":["global_tenant"],"allowed_actions":["kibana_all_write"]}]}}"; line: 1, column: 211] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration["kibana_multitenancy_user"]->org.opensearch.security.securityconf.impl.v6.RoleV6["index_permissions"])
Will retrieve '/rolesmapping' into /opensearch-backup/.securityconfig/roles_mapping.yml (legacy mode)
ERR: Seems rolesmapping from cluster is not in legacy format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "backend_roles" (class org.opensearch.security.securityconf.impl.v6.RoleMappingsV6), not marked as ignorable (6 known properties: "and_backendroles", "readonly", "users", "backendroles", "hidden", "hosts"])
at [Source: (String)"{"_meta":{"type":"rolesmapping","config_version":2},"all_access":{"reserved":false,"hidden":false,"backend_roles":["admin"],"description":"Migrated from v6"},"own_index":{"reserved":false,"hidden":false,"users":["*"]},"kibana_user":{"reserved":false,"backend_roles":["kibanauser"],"description":"Maps kibanauser to kibana_user role"},"readall":{"reserved":false,"backend_roles":["readall"]},"kibana_server":{"reserved":false,"users":["kibanaserver"]},"kibana_multitenancy_user":{"reserved":"false","h"[truncated 30 chars]; line: 1, column: 116] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration["all_access"]->org.opensearch.security.securityconf.impl.v6.RoleMappingsV6["backend_roles"])
Will retrieve '/internalusers' into /opensearch-backup/.securityconfig/internal_users.yml (legacy mode)
ERR: Seems internalusers from cluster is not in legacy format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "backend_roles" (class org.opensearch.security.securityconf.impl.v6.InternalUserV6), not marked as ignorable (7 known properties: "readonly", "username", "attributes", "hidden", "password", "roles", "hash"])
at [Source: (String)"{"_meta":{"type":"internalusers","config_version":2},"admin":{"reserved":false,"hidden":false,"hash":"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG","backend_roles":["admin"]},"kibanaserver":{"reserved":false,"hash":"$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."}}"; line: 1, column: 182] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration["admin"]->org.opensearch.security.securityconf.impl.v6.InternalUserV6["backend_roles"])
Will retrieve '/actiongroups' into /opensearch-backup/.securityconfig/action_groups.yml (legacy mode)
ERR: Seems actiongroups from cluster is not in legacy format: java.io.IOException: A version of 1 can not have a _meta key for ACTIONGROUPS
Will retrieve '/nodesdn' into /opensearch-backup/.securityconfig/nodes_dn.yml (legacy mode)
ERR: Seems nodesdn from cluster is not in legacy format: java.io.IOException: A version of 1 can not have a _meta key for NODESDN
Will retrieve '/whitelist' into /opensearch-backup/.securityconfig/whitelist.yml (legacy mode)
ERR: Seems whitelist from cluster is not in legacy format: java.io.IOException: A version of 1 can not have a _meta key for WHITELIST
Will retrieve '/audit' into /opensearch-backup/.securityconfig/audit.yml (legacy mode)
ERR: Seems audit from cluster is not in legacy format: java.io.IOException: A version of 1 can not have a _meta key for AUDIT
securityadmin ended
I have checked the format of config files in both the version 1.3.2.0 and 2.1.0.0, it looks the same.
Can you please suggest a way to resolve this and also check and share why is this error observed?