Action [indices:data/write/bulk[s]] is unauthorized for API key id of user [ ]

I have a 7.17 index I access routinely for reads and writes from a Django app with elasticsearch-py, performing snapshots to GCS, etc. This works fine with both the ES 7.17 on a Mac dev laptop against a copy of the prod index, and the Ubuntu prod server. All Python access uses an API_KEY and API_ID combo - one set on dev version and another on the prod server. I also use Kibana logged in with a superuser account.

All ES actions in the app work fine on both dev and prod, except this query, which fails on the prod server only (place_id is unique):

es.delete_by_query(
	"myindex",
	body={"query": {"terms": {"place_id": ["123456"]}}}
)

which returns this error (the user named has the superuser role, and the _id of the doc is 14192344):

elasticsearch7.exceptions.AuthorizationException: 
AuthorizationException(
	403, '
	{	"took":2,
		"timed_out":false,
		"total":1,
		"deleted":0,
		"batches":1,
		"version_conflicts":0,
		"noops":0,
		"retries":{"bulk":0,"search":0},
		"throttled_millis":0,
		"requests_per_second":-1.0,
		"throttled_until_millis":0,
		"failures":[
			{	"index": "myidx",
				"type":"_doc",
				"id":"14192344",
				"cause":{
					"type":"security_exception",
					"reason":
					"action [indices:data/write/bulk[s]] is unauthorized 
						for API key id [{api key id}] of user [{user}] 
						on indices [ myidx ], this action is granted by the index privileges 
						[create_doc,create,delete,index,write,all]"
				},
				"status":403
}]}')

The same query works fine in Kibana remotely, e.g.

POST /myindex/_delete_by_query
{
  "query": {
    "terms": {
      "place_id": ["123456"]
    }
  }
}

Thanks in advance for any suggestions. I've tried to find out what the active permissions are on prod, using the API ID and API KEY, can't find out how.

Looks to me the API Key does not grant delete which is separate from write privilege

That is because you are not logged in with that API keys so the privileges are different.

As far as I know (perhaps someone else knows otherwise) You can not access an API KEY's detailed privileges once created.

If you are using one of the "Publisher/Writer" role type API KEYs (from the docs) they usually do not have delete privileges

You can probably test this pretty simple... Get the _id of the document you are trying to delete and run a simple curl DELETE... with the API KEY it will probably reject it with the same error message.

1 Like

Thanks for this. Did not realize a user's (API_KEY_ID, API_KEY_KEY) pair are not relevant for a call from Python. Created a new unrestricted API Key in Kibana, and now use that for certain privileged operations executed with Python.

This will be possible in 8.5.

1 Like