Disable reads from few indices of an index pattern

Hi Team, I want to disable reads for few indices in an index pattern. I tried using index.blocks.read : true But due to this, when I am trying to query using index pattern, getting the below error

  "error" : {
    "root_cause" : [
        "type" : "cluster_block_exception",
        "reason" : "blocked by: [FORBIDDEN/7/index read (api)];"
    "type" : "cluster_block_exception",
    "reason" : "blocked by: [FORBIDDEN/7/index read (api)];"
  "status" : 403

Is it possible to enable search on other indices , without getting the above error. Or are there any other ways to achieve this??

Access to indices can be controlled by the user's role. I think you can write both "Allow read access to these indices (by alias) and "Deny access" when defining the role.

I am not sure if there is special setting for denying access, or if your use a minus sign like "- indexname" when you list the indices that the role should have access to.

What's the broader context and end goal here? Could you use Security to limit access or, as pointed out above, exclude them from the query?

Context: Currently we store 30d of data and having one index per day. We want to reduce the retention to 15d, but before doing that, we want to first mask the data >15d (without deleting) and observe the usage patterns before we completely reduce the retention.
Currently we are not following any user concept in our cluster. Hence checking if there is any other way

Are you using ILM?

No, we use curator

I would create an alias that covers only 15 days worth of indices amd let the customers query through this. You would add this to all new indices through an index template and then remove it using Curator when the index is older than 15 days.

1 Like

Yes that is one way @Christian_Dahlqvist , but i have few more Indices/rather tenants which work on index patterns. Wanted to have unified thing for all tenants, hence was trying to explore if there is another way

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.