Details
-
Bug
-
Resolution: Fixed
-
Major
-
7.6.2
-
0
Description
The documentation mentions that for --enable-users, you need "cluster.admin.security". It is actually much more complicated than that, so the docs should explain/summarise the below precise behaviour:
In addition, the specific users that get backed up depends on the roles of the user used to perform the backup (in addition to the actual Backup role being required):
- If the user has Full Admin, then all users will be included in the backup
- If the user has Local User Security Admin then local users will be included in the backup.
- If the user has External User Security Admin then external users will be included in the backup.
- If the user has Read-Only Admin then all users will be included in the backup
When performing a restore, the user will only be allowed to restore users if it has permission to create those same users. This means the following:
- For Full Admin, restoring users will always be permitted
- For Local User Security Admin, restoring users from a backup containing only local users is permitted
- For External User Security Admin, restoring users from a backup containing only external users is permitted
- For Read-Only Admin, restoring users is not permitted.
The middle two roles can be combined, which would give a user that can backup non-admin users and restore backups containing only non-admin users.
All of the above is assuming that the user has whatever other permissions are required to perform the rest of the backup/restore (without --enable-users).
Attachments
Issue Links
- relates to
-
MB-62313 Investigate inconsistent behaviour of user backups
- Closed