Convert users + roles from shield 2.1 format to X-Pack Security

Using Shield 2.1, and looking to migrate to ES 5.4. I've seen information that Shield 2.3 user/roles will be automatically upgrade to X-Pack Security, but upgrading to 2.3 isn't a practical option. Any ideas on migrating user + roles from ES 2.1+Shield to ES 5.4 + X-Pack Security would be helpful. The number of users an roles is manageable so a manual operation is possible, but I don't have documentation on how. Thanks

We don't officially support migration of users from 2.1 directly to 5.4.

We have a migration tool to convert file based users to native, but it is only supported for migrating to 2.x not directly to 5.x.

When migrating from Shield 2.x, the migrate tool should be run prior to upgrading to ensure all roles can be migrated as some may be in a deprecated format that X-Pack cannot read. The migrate tool is available in Shield 2.4.0 and higher.

You can obviously try it, and it may well work, but it also might not.

If you really can't upgrade to 2.3 or 2.4 then you might be able to get away with doing this on a small "migration" cluster (that can be a single node on your PC)

This is totally unsupported and untested, but it should work as a starting point:

  • Create a "migration" cluster running the same version as your prod cluster.
  • Copy the shield users and roles files from your prod cluster to your migration cluster
  • Check that the users and roles are correct (that is, you can login)
  • Upgrade your migration cluster to 2.4
  • Run the 2.4 user/role migration tool on the migration cluster
  • Check that the users and roles are correct (that is, you can login)
  • Upgrade your migration cluster to 5.4 (*)
  • Check that the users and roles are correct (that is, you can login)
  • At this point, you're ready to migrate those users and roles from your migration cluster to your production cluster. There's a few ways you can do that, but the safest is to use the user and role management APIs to extract your users and roles in the 5.x JSON format.
  • You need to manipulate that JSON in a couple of ways, but it's something that can be automated (e.g. you may need to remove the transient_metadata object from the role definitions).
  • This won't migrate the users passwords. If you're happy reseting everyone's password, then that is the simplest path.

__(*)__There are some features coming in 5.5 that should make the migration from 2.4 a bit more robust, so I would suggest you wait for 5.5 before doing this.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.