Security permission issue while restoring snapshot from elastic cluster to opensearch cluster

OpenSearch
,
1

Hi All,

I have been trying to restore a snapshot which is created from elasticsearch cluster to the opensearch cluster , while doing so i am getting below error

{
“error” : {
“root_cause” : [
{
“type” : “security_exception”,
“reason” : “no permissions for and User [name=admin, backend_roles=[admin], requestedTenant=admin_tenant]”
}
],
“type” : “security_exception”,
“reason” : “no permissions for and User [name=admin, backend_roles=[admin], requestedTenant=admin_tenant]”
},
“status” : 403
},

But the snapshot is working if it is on the same cluster.

2

Hi
What index are you trying to restore ?

Some index require admin certificates to be able to restore them.
Check documentation
https://opensearch.org/docs/latest/opensearch/snapshot-restore/#security-plugin-considerations

3

Thankyou for the reply @ThibaudF

Trying to restore elastcsearch indexes to the opensearch cluster
used the below command

POST _snapshot/elselkdev-snapshot/snapshot_june20/_restore
{
“indices”: “archival-2022.06.13-000012”,
“ignore_unavailable”: true,
“include_global_state”: false,
“include_aliases”: false,
“partial”: false,
“ignore_index_settings”: [
“index.refresh_interval”
]
}

4

Can you send us the result of the endpoint ?

/_snapshot/elselkdev-snapshot/snapshot_june20/_status

Normally, you can restore snapshots in different cluster
Have you tried with admin certificates ?
Have you tried with another account with the right privileges, manage_snapshot something like that (read documentation) ?

Thi

5

{
“error” : {
“root_cause” : [
{
“type” : “snapshot_missing_exception”,
“reason” : “[onedev-elselkdev-snapshot:snapshot-june20] is missing”
}
],
“type” : “snapshot_missing_exception”,
“reason” : “[onedev-elselkdev-snapshot:snapshot-june20] is missing”
},
“status” : 404
}

The status end point returned the above output , showing snapshot is missing because , the snapshot is taken from elasticsearch cluster
FYI , both cluster are using same gcs bucket and snapshot repository

6

@ThibaudF I was performing all these with the admin user only .

7

The error is clear, your snapshot is missing.
Why it’s written onedev-elselkdev-snapshot and before it was elselkdev-snapshot for the snapshot repository ?

Can you give the output of

/_cat/snapshots/onedev-elselkdev-snapshot?v&s=end_epoch:desc;
/_cat/snapshots/elselkdev-snapshot?v&s=end_epoch:desc;
8

image
image1531×423 28.7 KB

This in the opensearch dashboards and let me paste you what it showed in the elasticsearch

The status of the snapshot in the elasticsearch is SUCCESS

{
“snapshots” : [
{
“snapshot” : “snapshot_june20”,
“repository” : “onedev-elselkdev-snapshot”,
“uuid” : “myD21F29Rw-nqHP1Sk6EVA”,
“state” : “SUCCESS”,
“include_global_state” : false,
“shards_stats” : {
“initializing” : 0,
“started” : 0,
“finalizing” : 0,
“done” : 1,
“failed” : 0,
“total” : 1
},
“stats” : {
“incremental” : {
“file_count” : 0,
“size_in_bytes” : 0
},
“total” : {
“file_count” : 18,
“size_in_bytes” : 10517474
},
“start_time_in_millis” : 1655814483079,
“time_in_millis” : 600
},
“indices” : {
“-archival-2022.06.13-000012” : {
“shards_stats” : {
“initializing” : 0,
“started” : 0,
“finalizing” : 0,
“done” : 1,
“failed” : 0,
“total” : 1
},
“stats” : {
“incremental” : {
“file_count” : 0,
“size_in_bytes” : 0
},
“total” : {
“file_count” : 18,
“size_in_bytes” : 10517474
},
“start_time_in_millis” : 1655814483075,
“time_in_millis” : 200
},
“shards” : {
“0” : {
“stage” : “DONE”,
“stats” : {
“incremental” : {
“file_count” : 0,
“size_in_bytes” : 0
},
“total” : {
“file_count” : 18,
“size_in_bytes” : 10517474
},
“start_time_in_millis” : 1655814483075,
“time_in_millis” : 200
}
}
}
}
}
}
]
}

id status start_epoch start_time end_epoch end_time duration indices successful_shards failed_shards total_shards
snapshot_june20 SUCCESS 1655720422 10:20:22 1655720425 10:20:25 2.4s 1 4 0 4

9

So which snapshot you want to restore ?
And which index ?

Seems like your snapshots only have 1 index.
And no snapshot with archive listed here

10

archieve is the index name @ThibaudF , and snapshot_june20 is the snapshot name that i am using

“snapshot” : “snapshot_june20”,
“repository” : “onedev-elselkdev-snapshot”,
“indices” : {
“-archival-2022.06.13-000012”

11

The snapshot_june20 doesn’t appear in the list above.
You can’t restore an index that doesn’t exist in the snapshots repository.

You need to have the snapshots repository in common for both of your clusters.
Elasticsearch + OpenSearch

12

I understand that is not appearing in the list , that is what the problem that opensearch is not able to show the snapshots which are taken from opensearch cluster .

13

Ok sorry I misunderstood.
Well, maybe you can give us the output when you try to do a snapshot and when you list from both clusters.

If it can’t get the snapshots, then I can’t help you, I thought it’s the normal behaviour (I will need it soon for my upgrade :slight_smile: )

Hope OpenSearch Team can answer you

Thi

14

I see the snapshots which are taken in elasticsearch cluster in the gcs bucket also , But i am not able to get those in the opensearch cluster