'create' vs. 'create_doc' privilege for beats_system

On my Elasticsearch 7.x cluster, the beats_system role has the index privileges create_index and create.

According to Security privileges | Elasticsearch Guide [7.17] | Elastic, roles with the the index create privilege may:

index documents, allowing overwriting any existing document, but not permitting updating one.

According to that same document, the index create_doc privilege does NOT allow for overwriting:

Privilege to index new documents, without allowing overwriting or updating existing ones.

According to Grant privileges and roles needed for monitoring | Filebeat Reference [7.17] | Elastic, a user-made role (as an alternative to using the built-in beats_system role) should have the index create_index and create_doc privileges.

Questions:

• Why does the built-in beats_system role have the index create privilege instead of the index create_doc privilege?
• How could I replace the index create privilege with the index create_doc privilege for the beats_system role? I am unable to update it because it's built in.

• Why does the built-in beats_system role have the index create privilege instead of the index create_doc privilege?

Because beats_system came before we had the create_doc. Because of backward compatibility, it is not simpel to change it to use create_doc afterwards.

• How could I replace the index create privilege with the index create_doc privilege for the beats_system role? I am unable to update it because it's built in.

You cannot. You'll want to create and use your own role.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.