[DOC] Backup & Restore Security Configuration #42970

albertzaharovits · 2019-06-06T23:52:35Z

Documents how to backup and restore the configuration for security features.

This started of as documenting "Backup .security" but escalated fast, because it required explaining the relation with all the other configurations (eg which one goes first) . Documenting just the configuration part from the .security index would have raised more questions than answers, IMO.

elasticmachine · 2019-06-06T23:52:37Z

Pinging @elastic/es-security

x-pack/docs/en/security/backup-security-configuration.asciidoc

lcawl · 2019-06-12T21:30:16Z

I'm tempted to move this up a level e.g. as a peer to the "Configuring security" section, so that we can break this into multiple pages. Do you have a strong preference for keeping it all on one long page?

x-pack/docs/en/security/backup-security-configuration.asciidoc

lcawl · 2019-06-12T22:22:02Z

x-pack/docs/en/security/backup-security-configuration.asciidoc

+ '
+--------------------------------------------------
+
+NOTE: Restoring the global state is optional, but it will help make sure the


There is information missing here after "the"

lcawl · 2019-06-12T22:22:59Z

x-pack/docs/en/security/backup-security-configuration.asciidoc

+--
+
+. Cherry-pick and
+<<cluster-update-settings,apply the persistent secure settings>> from earlier.


I think this step needs more information since it wasn't clear to me what "earlier" was referring to or what exact steps I needed to perform here.

Co-Authored-By: Lisa Cawley <[email protected]>

albertzaharovits · 2019-07-09T22:47:26Z

@lcawl I have skipped a test that added a user because the fixture was complaining that security must be explicitly enabled for a trial license.
In addition, I have merged backup-security-config.asciidoc and restore-security-config.asciidoc in a single file because //TEST [continued] does not work across files. I believe it's better to have them separated but I don't know how to do that (without duplicating test setups in the second file). Lastly, I have added NOTCONSOLE to some curl cmds that should be run from the local shell.

albertzaharovits · 2019-07-10T11:27:36Z

@lcawl This commit does not apply cleanly to 6.8, yet the technical bits (the snapshot_user role) would work in 6.8 .
I know this is part of a bigger docs overhauling, do you think it is worthy/feasible a backport to 6.8 ? Security conf backups don't work across major versions, so the benefits of a backup in 6.8 are less important.

This commit documents the backup and restore of a cluster's security configuration. It is not possible to only backup (or only restore) security configuration, independent to the rest of the cluster's conf, so this describes how a full configuration backup&restore will include security as well. Moreover, it explains how part of the security conf data resides on the special .security index and how to backup that using regular data snapshot API. Co-Authored-By: Lisa Cawley <[email protected]> Co-Authored-By: Tim Vernum <[email protected]>

lcawl · 2019-07-11T05:18:27Z

At this time, that Administering Elasticsearch section only exists in 7.3 and later branches so if there's not a strong motivation for making it work there, I think we should refrain from backporting to that branch.

albertzaharovits · 2019-07-11T17:04:29Z

@tvernum this has been merged to 7.3, 7.x and master .
But we did a mistake to not document at the time we had parts of the feature ready. In this case, snapshot_user role exists since 6.7 and tokens were moved to a dedicated index since 7.2 .
I think "Administering Elasticsearch" doc section should be backported to 7.0 (It is prob of little value to backport to 6.8 since security restores don't work across major versions). I chatted with @lcawl about the possibility to backport the doc restructuring to 7.0 and there was no opposition.

So, do you think we should backport this doc section to all 7.x versions?

This commit documents the backup and restore of a cluster's security configuration. It is not possible to only backup (or only restore) security configuration, independent to the rest of the cluster's conf, so this describes how a full configuration backup&restore will include security as well. Moreover, it explains how part of the security conf data resides on the special .security index and how to backup that using regular data snapshot API. Co-Authored-By: Lisa Cawley <[email protected]> Co-Authored-By: Tim Vernum <[email protected]>

albertzaharovits · 2019-07-16T13:13:43Z

Backported to 7.0, 7.1 and 7.2.

This reverts commit 6c8a01c.

This reverts commit 36a758d.

This reverts commit 69e7d99.

…c#42970)"" This reverts commit bbccf7e.

This commit documents the backup and restore of a cluster's security configuration. It is not possible to only backup (or only restore) security configuration, independent to the rest of the cluster's conf, so this describes how a full configuration backup&restore will include security as well. Moreover, it explains how part of the security conf data resides on the special .security index and how to backup that using regular data snapshot API. Co-Authored-By: Lisa Cawley <[email protected]> Co-Authored-By: Tim Vernum <[email protected]>

albertzaharovits · 2019-07-18T16:24:36Z

Backports to 7.0 and 7.1 have been reverted. We've discussed this in our weekly meeting. There is nothing in this PR that would justify it be an exception to our usual backporting strategy. Moreover, before 7.2, there were security tokens stored in the .security index, so the wording in the docs would not be 100% accurate.

albertzaharovits added 3 commits June 6, 2019 19:44

Sketchy

87cea12

Show

f0f32a3

Show

72a8992

albertzaharovits added >docs General docs changes :Security/Security Security issues without another label v8.0.0 v7.2.0 v7.3.0 v6.8.1 labels Jun 6, 2019

albertzaharovits requested review from lcawl and tvernum June 6, 2019 23:52

albertzaharovits self-assigned this Jun 6, 2019

tlrx reviewed Jun 10, 2019

View reviewed changes