Elasticsearch version : 5.5.1
JVM version: 1.8.0_131
OS version : CentOS 7.3.1611
Description:
In order to run the _delete_by_query on an alias the user needs "delete" privileges to the actual index. I would expect that as long as the user has read/write rights to the alias they would be able to run a _delete_by_query. It is also confusing as the request will return a 200 OK as long as there isn't actually anything to delete. If it finds something to delete then it fails out with a 403 Forbidden. I'm assuming once it finds something to delete it is trying to issue the actual delete on the index instead of the alias.
I am specifically trying to do this with a filtered alias, but I have tested it with a non filtered alias and the same results are seen
Steps to reproduce:
- Create a new index
PUT testindex - Add an alias
POST testindex/_alias/testalias - Create role with read and write rights to alias
POST _xpack/security/role/testRole { "indices": [ { "names": [ "testalias" ], "privileges": [ "write", "read" ] } ] } - Create user with the role just created
POST _xpack/security/user/testUser { "roles": [ "testRole" ], "password": "elastic" } - Run _delete_by_query on alias using new user (200 OK is returned)
POST testalias/_delete_by_query { "query":{ "match_all": {} } } - Add document to index
GET testindex/testtype/1 { "name": "test" } - rerun _delete_by_query on Alias with same user (403 Forbidden Returned)
Error Message:
{ "index": "testindex", "type": "testtype", "id": "1", "cause": { "type": "security_exception", "reason": "action [indices:data/write/bulk[s]] is unauthorized for user [testUser]" }, "status": 403 }