Snapshot doesn't seem to work properly (ES 6.8.10 & RoR 1.20)


I’ve been using the free version of RoR on my ES cluster for a while now, and we just upgraded the cluster and the plugin to ES 6.8.10.
The security setting is really basic, just basic http auth for all actions + access to cluster:monitor/main for everyone. I don’t need more at the moment, and it used to work with ES 5.
Now, when I try to snapshot an index, ES/RoR seems to discard my indices list. I was having issues with my backup system so I tried a few tests:

curl -X PUT “localhost:9200/_snapshot/test-repo/test-snapshot?wait_for_completion=false&pretty” --user xxx:password -H ‘Content-Type: application/json’ -d’
“include_global_state”: false

When I request that, ES starts snapshoting my entire cluster instead of just the test index. The log seems to indicate that the json containing the indices information doesn’t seem to pass through RoR (it clearly says “indices:*”):

[2020-07-24T14:23:13,382][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [localhost] ALLOWED by { name: ‘full access if Basic HTTP auth’, policy: ALLOW, rules: [auth_key] req={ ID:817557308-1750811663#617, TYP:CreateSnapshotRequest, CGR:N/A, USR:xxxx, BRS:true, KDX:null, ACT:cluster:admin/snapshot/create, OA:, XFF:null, DA:, IDX:, MET:PUT, PTH:/_snapshot/test-repo/test-snapshot, CNT:<OMITTED, LENGTH=75.0 B> , HDR:Accept=/*, Authorization=, Content-Length=75, Content-Type=application/json, Host=localhost:9200, User-Agent=curl/7.58.0, HIS:[full access if Basic HTTP auth-> RULES:[auth_key->true], RESOLVED:[user=xxxx;indices=*;repositories=test-repo;snapshots=test-snapshot]] }

When I remove the RoR plugin the request works fine.

Is this a bug ? What am I doing wrong ?

@coutoPL is this related to GET _snapshot permission issue ?

maybe. I’ll check it during the linked task fixing

1 Like