Hi there. I've noticed a bunch of messages in my deprecation logs that go like this:
Role [some-dept] contains index privileges covering the [some-dept-alias] alias but which do not cover some of the indices that it points to [logstash_sysadmins-2021.08.14-000058]. Granting privileges over an alias and hence granting privileges over all the indices that the alias points to is deprecated and will be removed in a future version of Elasticsearch. Instead define permissions exclusively on index names or index name patterns.
The issue I see here is that I'm using filtered aliases to allow users of some-dept
to read the logstash_sysadmin*
indices, but restricted to only the data from their own systems, while allowing the sysadmin
role to read the entire index. I don't see any other way to do this, and modifying the role to include the index as the deprecation warning recommends will allow this group to read the entire index, including events from other departments.
Is there going to be an alternative method to doing this in the future, or are we facing an issue of important functionality being removed? For some departments the event rate is low enough that it doesn't justify creating a separate tiny index for them, which seems to be where we're heading if we want to keep doing this.