Action [indices:admin/create] is unauthorized for user

brunoflament · September 27, 2023, 1:33pm

Hi,
I try to create a index but i have this error :

PUT toto-1 ( curl -k -u "logstash:password" -X PUT "https://localhost:9200/toto-1)
{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/create] is unauthorized for user [logstash] with effective roles [eck_logstash_user_role] on indices [toto-1], this action is granted by the index privileges [create_index,manage,all]"}],"type":"security_exception","reason":"action [indices:admin/create] is unauthorized for user [logstash] with effective roles [eck_logstash_user_role] on indices [toto-1], this action is granted by the index privileges [create_index,manage,all]"},"status":403}

GET _security/user/logstash

 "logstash" : {
    "username" : "logstash",
    "roles" : [
      "eck_logstash_user_role"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : { },
    "enabled" : true
  }
}

GET _security/role/eck_logstash_user_role

{
  "eck_logstash_user_role" : {
    "cluster" : [
      "all"
    ],
    "indices" : [
      {
        "names" : [
          "toto-*"
        ],
        "privileges" : [
          "all"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

Where is the problem ? Any help is greats (edited)

Regards
Bruno

stephenb · September 27, 2023, 11:21pm

Hi @brunoflament, Welcome to the community.

What Version?

What user were you logged in with when you created that role?

Ask just in case because a user can not create a role with more privileges than the user logged in.

the API will accept creating the role, but when executed, it will be the intersection of the roles (the user creating the role and the role created / used)

TimV · September 29, 2023, 6:49am

This is true for API keys, but not for users+roles. Users with manage_security can create a role that grants any access they wish, regardless of what access they themselves have.

TimV · September 29, 2023, 6:52am

Is is possible that there is a separate definition of that role stored in the roles.yml file in the configuration directory of the node?

If so, the file based role will take precedence.

You can check the user's effective privileges by calling:

curl -k -u "logstash" "https://localhost:9200/_security/user/_privileges"

If that doesn't match your eck_logstash_user_role then it probably means that the node is using a different role.

brunoflament · September 29, 2023, 8:09am

Hello !

Yes !!

{"cluster":["cluster:admin/ingest/pipeline/get","manage_ilm","manage_index_templates","manage_logstash_pipelines","monitor","read_ilm"],"global":[],"indices":[{"names":["ecs-logstash","ecs-logstash-*","logs-*","logstash","logstash-*","metrics-*","synthetics-*","traces-*"],"privileges":["create_index","manage","read","view_index_metadata","write"],"allow_restricted_indices":false}],"applications":[],"run_as":[]}

The solution is Configuration examples | Elastic Cloud on Kubernetes [2.9] | Elastic

Regards
Bruno Flament

stephenb · September 29, 2023, 12:59pm

Woah I did not realize that Today I Learned!

Thanks @TimV !

system · October 27, 2023, 1:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.