Acc to https://opendistro.github.io/for-elasticsearch-docs/docs/elasticsearch/snapshot-restore/#take-snapshots, if one needs to restore .opendistro_security index from a snapshot, we must include an admin certificate in the request to elasticsearch REST API. Ex:
curl -k --cert chain.pem --key kirk.key.pem -XPOST 'https://localhost:9200/_snapshot/my-repository/3/_restore?pretty'
opendistro_security.ssl.http.enabled is disabled, TLS is disabled on the REST layer. Only when TLS client authentication is enabled, REST clients can send a TLS certificate with the HTTP request to provide identity information to the security plugin.
My use-case: I use elasticsearch in k8s environment with istio mtls enabled. With that, as pod-to-pod mtls would be handled by istio, tls on REST layer for elasticsearch has been disabled. With this, I can connect to the REST api with user credentials on http (like http://localhost:9200 -u < uname>:< pwd>), but I cannot use certificate-based authentication.
Now, lets say, we want to periodically backup all data in ES (including security configurations, roles, users etc) using elasticsearch snapshots and restore from it in case of disaster recovery. In the current situation, I can only restore other indices while there would be data loss as opendistro_security index cannot be restored.
Is there a way to mitigate this issue? Can an admin user in internal_users.yml (having unlimited permissions like " all_access") be used to restore .opendistro_security index instead of admin-certificates?
Any pointers would be appreciated.