Hi there,
I’ve set up an Elasticsearch cluster using Docker Compose with 3 Elasticsearch nodes and 1 Kibana — so a total of 4 Docker containers.
I’m currently working on testing backup and restore functionality.
First, I configured snapshot settings via the Kibana Console so that snapshots are stored in an S3 bucket. I verified that restoring custom-created indices from a snapshot works fine.
What I’d like to test next is a worst-case scenario: imagine the only thing left is the snapshot in the S3 bucket, and I want to set up the entire Docker environment from scratch and restore everything.
I ran a test, and while the indices restore correctly, the previously created users, roles, and the snapshot repository settings were missing (which makes sense).
Could you advise how I can also restore users, roles, and the registered snapshot repositories (i.e., the ones configured in advance) from the snapshot?
Thanks in advance for your help!
Great test! Simulating a full disaster scenario is honestly one of the best ways to find gaps in the setup.
About your question — users, roles, and snapshot repository settings aren’t restored by default because they’re part of the cluster’s global state, not just the index data. To bring those back, you need to make sure the snapshot includes that global state.
One important detail: the snapshot repository itself needs to be manually recreated first, otherwise Elasticsearch won’t know where to find the snapshots.
Once that’s in place, you can restore everything — users, roles, and all. Happy to help walk through the exact steps if needed!
Thank you for your response.
Let me summarize what I’ve understood from your explanation.
Please correct me if I misunderstood anything.
My Understanding:
- When creating a snapshot, set 'Include global state:Yes'
- I need to manually recreate the snapshot repository, pointing it to the same S3 bucket.
- Once the snapshot repository is recreated, I should restore the snapshot with global state included.
My Test Steps:
- Created a user and role named test2025.
- Created a snapshot with 'Include global state: Yes'
- Deleted the test2025 user and role from the original cluster.
- Restored the snapshot, selecting only the my-test-index for restoration, and included the global state.
- Result: The test2025 user and role were not restored.
Notes:
During restore, I did not restore the following indices.
I didn't recover it first because I wasn't sure if it was an index that needed to be recovered.
.kibana-event-log-ds
.logs-deprecation.elasticsearch-default
.slm-history-7
ilm-history-7
.apm-source-map
.internal.alerts-default.alerts-default-000001
.internal.alerts-ml.anomaly-detection-health.alerts-default-000001
.internal.alerts-ml.anomaly-detection.alerts-default-000001
.internal.alerts-observability.apm.alerts-default-000001
.internal.alerts-observability.logs.alerts-default-000001
.internal.alerts-observability.metrics.alerts-default-000001
.internal.alerts-observability.slo.alerts-default-000001
...
...
Could you please provide a clear set of steps or methods to fully restore all user and role data?
Thank you in advance!
Thanks for the detailed summary — you’ve understood it really well!
What likely caused the issue is step 4: restoring only the my-test-index. Even with global state included, the .security-* indices (where users and roles are stored) weren’t part of that restore — and that’s why the test2025 user and role didn’t come back.
To fully bring back users and roles, you’ll need to include the .security-* indices in addition to enabling global state during the restore. It’s a bit counterintuitive, but both are required: global state brings back cluster settings and things like role mappings, but the actual user/role data lives in those system indices.
If you restore from a snapshot that contains .security-* and check that global state is included, everything should be back.