Action [indices:data/write/bulk[s]] is unauthorized for API key id of user [ ]

kgeographer · September 3, 2022, 3:48pm

I have a 7.17 index I access routinely for reads and writes from a Django app with elasticsearch-py, performing snapshots to GCS, etc. This works fine with both the ES 7.17 on a Mac dev laptop against a copy of the prod index, and the Ubuntu prod server. All Python access uses an API_KEY and API_ID combo - one set on dev version and another on the prod server. I also use Kibana logged in with a superuser account.

All ES actions in the app work fine on both dev and prod, except this query, which fails on the prod server only (place_id is unique):

es.delete_by_query(
	"myindex",
	body={"query": {"terms": {"place_id": ["123456"]}}}
)

which returns this error (the user named has the superuser role, and the _id of the doc is 14192344):

elasticsearch7.exceptions.AuthorizationException: 
AuthorizationException(
	403, '
	{	"took":2,
		"timed_out":false,
		"total":1,
		"deleted":0,
		"batches":1,
		"version_conflicts":0,
		"noops":0,
		"retries":{"bulk":0,"search":0},
		"throttled_millis":0,
		"requests_per_second":-1.0,
		"throttled_until_millis":0,
		"failures":[
			{	"index": "myidx",
				"type":"_doc",
				"id":"14192344",
				"cause":{
					"type":"security_exception",
					"reason":
					"action [indices:data/write/bulk[s]] is unauthorized 
						for API key id [{api key id}] of user [{user}] 
						on indices [ myidx ], this action is granted by the index privileges 
						[create_doc,create,delete,index,write,all]"
				},
				"status":403
}]}')

The same query works fine in Kibana remotely, e.g.

POST /myindex/_delete_by_query
{
  "query": {
    "terms": {
      "place_id": ["123456"]
    }
  }
}

Thanks in advance for any suggestions. I've tried to find out what the active permissions are on prod, using the API ID and API KEY, can't find out how.

stephenb · September 3, 2022, 7:35pm

kgeographer:

"action [indices:data/write/bulk[s]] is unauthorized 
						for API key id [{api key id}] of user [{user}] 
						on indices [ myidx ], this action is granted by the index privileges 
						[create_doc,create,delete,index,write,all]

Looks to me the API Key does not grant delete which is separate from write privilege

That is because you are not logged in with that API keys so the privileges are different.

As far as I know (perhaps someone else knows otherwise) You can not access an API KEY's detailed privileges once created.

If you are using one of the "Publisher/Writer" role type API KEYs (from the docs) they usually do not have delete privileges

You can probably test this pretty simple... Get the _id of the document you are trying to delete and run a simple curl DELETE... with the API KEY it will probably reject it with the same error message.

kgeographer · September 25, 2022, 8:26am

Thanks for this. Did not realize a user's (API_KEY_ID, API_KEY_KEY) pair are not relevant for a call from Python. Created a new unrestricted API Key in Kibana, and now use that for certain privileged operations executed with Python.

Yang_Wang · September 26, 2022, 1:59am

This will be possible in 8.5.

system · October 24, 2022, 1:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
"action [indices:data/write/index]" is unauthorized for user: UserName Elasticsearch	1	862	May 22, 2019
Action [indices:admin/create] is unauthorized for user Elasticsearch elastic-stack-security	3	14446	May 27, 2022
To solve an error Kibana elastic-stack-security , elastic-stack-alerting	2	133	March 14, 2024
'search_phase_execution_exception', 'action [indices:data/read/search[phase/query]] is unauthorized for user Elasticsearch elastic-stack-security	2	1124	May 10, 2021
SOLVED: Logstash issue with shield - "action [indices:data/write/bulk] is unauthorized for user [logstash]" Logstash elastic-stack-security	15	13615	July 6, 2017

Action [indices:data/write/bulk[s]] is unauthorized for API key id of user [ ]

Related Topics