I currently use elasticsearch oss + searchguard (for securing elk stack).
I intend to upgrade my cluster to opendistro in order to use the features available here.
We already have certain security configurations in-place like users, roles etc created & stored in searchguard index.
Is there a way I can migrate this data to opendistro_security index without having to re-create the users?
A potential way I see is -
Backup the contents of searchguard index as yaml files before upgrade.
Use the same yaml files to run securityadmin.sh in opendistro after upgrade.
– But the problem I see with this approach is -
The names of static (built-in) roles and action groups differ in searchguard and opendistro_security.
For Ex. Opendistro
all_access: reserved: true hidden: false static: true description: "Allow full access to all indices and all cluster APIs" cluster_permissions: - "*" index_permissions: - index_patterns: - "*" allowed_action
SGS_ALL_ACCESS: reserved: true hidden: false static: true description: "Allow full access to all indices and all cluster APIs" cluster_permissions: - "*" index_permissions: - index_patterns: - "*" allowed_actions: - "*"
In my configurations stored in searchguard index, in sg_roles_mapping_yml, we are mapping certain users to existing static SG roles. For ex.
_sg_meta: type: "rolesmapping" config_version: 2 SGS_ALL_ACCESS: reserved: true hidden: false backend_roles: - "admin" users: - "admin"
If I use such yamls from searchguard and run securityadmin.sh in opendistro, it won’t work as expected as opendistro does not identify a static role by this name.
Is there a way to resolve this and migrate to opendistro without having to rewrite all security configurations? Any pointers would be appreciated.