Can't delete an index with "elastic" user

Elastic Orchestration Elastic Cloud Enterprise (ECE)
1

Hi,
I have a new cluster in ECE and I migrated data there from an old cluster using a snapshot. However, restoring the snapshot went wrong and I had to do it again, therefore I wanted to delete all restored indices in the ECE cluster, bud I failed to delete an index called ".security-6". Other indices were deleted successfully.

Delete request:
curl -X DELETE -ks https://elastic:OtpwruDWmZKLKnRvV8nRG5rW@localhost:18368/.security-6

Error response:

{  
   "error":{  
      "root_cause":[  
         {  
            "type":"security_exception",
            "reason":"action [indices:admin/delete] is unauthorized for user [elastic]"
         }
      ],
      "type":"security_exception",
      "reason":"action [indices:admin/delete] is unauthorized for user [elastic]"
   },
   "status":403
}

Is there a way to delete the index? The problem with it is that I can't re-run the snapshot restore as long as the index exists. Renaming pattern might help, but I would expect that "elastic" user has permissions to perform any cluster actions, including deletion of these "system" indices.

Thanks for any ideas.

2

Hi,
did you try using different users? Maybe a different CURL command like:
curl -XDELETE --user username:password ...

Good Luck!

3

Well, there's no other user available, "elastic" user is generated by ECE when a cluster is created, thus I'd expect it to be superuser. Maybe I'm wrong.

4

If I remember correctly you have the elastic user for kibana but a root user for the ECE Cloud UI. Maybe that user could do more? I can't try it because I no longer have my ECE Instance.

Good Luck!

5

Well, this is an interesting idea. I tried to send a delete request with ECE admin and password, but it didn't work either.

I also tried running the query from API console in my deployment in ECE UI and I got new error:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "action [indices:admin/delete] is unauthorized for user [found-internal-admin-proxy]"
      }
    ],
    "type": "security_exception",
    "reason": "action [indices:admin/delete] is unauthorized for user [found-internal-admin-proxy]"
  },
  "status": 403
}

I think what I really need is to enable Kibana in my deployment and create a superuser manually for my cluster there.

6

Well, maybe it is also interesting to know what the .security-6 Index is used for and what happens if it is deleted. Look through the sourcecode of elasticsearch here on GitHUB:

It looks to me like user authentication data is written and read from here. Maybe it can not be deleted because otherwise no further access to the cluster might be possible?!?!

Definitely Good Luck here !

7

What version of ECE is this?

Earlier versions did not grant the superuser role to elastic, but newer versions do. You can check by looking in the "Cluster Data" section of the Advanced Cluster editor - internal users' roles are listed (and can be changed) there.

The other workaround is simply to create a new user via Kibana (or the ES API) and grant that user superuser roles

Alex

1 Like
8

Thanks, Alex - superuser role was indeed missing in the advanced config for the elastic user and adding it fixed my issue. I didn't realize I can edit such things in the advanced config. Thanks for pointing me in the right direction.

I've been currently using ECE 2.0.0, but I will upgrade to 2.1 soon.

Ondrej

9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.