Delete By Query Request Run on Alias needs Security Rights to Index

Elasticsearch version : 5.5.1

JVM version: 1.8.0_131

OS version : CentOS 7.3.1611

Description:

In order to run the _delete_by_query on an alias the user needs "delete" privileges to the actual index. I would expect that as long as the user has read/write rights to the alias they would be able to run a _delete_by_query. It is also confusing as the request will return a 200 OK as long as there isn't actually anything to delete. If it finds something to delete then it fails out with a 403 Forbidden. I'm assuming once it finds something to delete it is trying to issue the actual delete on the index instead of the alias.

I am specifically trying to do this with a filtered alias, but I have tested it with a non filtered alias and the same results are seen

Steps to reproduce:

  1. Create a new index PUT testindex
  2. Add an alias POST testindex/_alias/testalias
  3. Create role with read and write rights to alias
    POST _xpack/security/role/testRole { "indices": [ { "names": [ "testalias" ], "privileges": [ "write", "read" ] } ] }
  4. Create user with the role just created
    POST _xpack/security/user/testUser { "roles": [ "testRole" ], "password": "elastic" }
  5. Run _delete_by_query on alias using new user (200 OK is returned)
    POST testalias/_delete_by_query { "query":{ "match_all": {} } }
  6. Add document to index
    GET testindex/testtype/1 { "name": "test" }
  7. rerun _delete_by_query on Alias with same user (403 Forbidden Returned)

Error Message:

{ "index": "testindex", "type": "testtype", "id": "1", "cause": { "type": "security_exception", "reason": "action [indices:data/write/bulk[s]] is unauthorized for user [testUser]" }, "status": 403 }

Hmm - I agree that you should get the same result for empty and non-empty indices. I agree that for consistency's sake we should allow it if you have permissions on the alias. I don't particularly like it because it feels tricky but if we can manage to fix it in a safe way then we will.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.