How to bulk migrate users and roles with native realms authentication

I'm looking for an advice how to migrate users (if possible including passwords) and roles from an old cluster to a new cluster. (Elasticsearch v8.x)

I wanna perform this with Kibana DevTools.

I populate users and roles from the old cluster with:

GET /_security/role/
GET /_security/users/

I tried to insert on the new cluster without success:

POST /_security/role
{
{
  "user1" : {
    "username" : "user1",
    "roles" : [
      "superuser"
    ]
  },
  "user2" : {
    "username" : "user2",
    "roles" : [
      "kibana_system"
    ]
  },
  "user3" : {
    "username" : "user3",
    "roles" : [
      "kibana_system"
    ],
  "user4" : {
    "username" : "user4",
    "roles" : [
      "kibana_system"
    ],
...
}

Is there a way to bulk insert a list of users?

There is not an API for bulk creation of users or roles.

We've looked at it, but decided it doesn't really help for a few reasons

  • It's not needed for performance (see below)
  • Bulk APIs have tricky semantics around reporting success/failure
  • Having multiple APIs for the same end result can be confusing.

What you need to do is split the response up per-role and sent that to the PUT /_security/role API.
You can improve performance by passing refresh=false as an HTTP parameter. Without that ES Security will force each user/role to be refreshed individually which is unnecessary if you're trying to load a bunch of them.

Note: We don't have a simple way to migrate passwords for users. You can do it by directly querying the .security index to get the password hash, but I'd recommend that the simplest path is for you to give each user a new password and then ask them to change it afterwards.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.