Elasticsearch 7.17 index with alias - granting privileges best practice

Hi. What would be best practice for granting read security privileges on index with alias on Elasticsearch 7.17?

Granting read privilege only on alias is deprecated but granting read privilege only on index isn't working when accessing that index through alias with misleading error messages.

PUT test_index
{
  "mappings": {
    "properties": {
      "title": {
        "type": "keyword"
      },
      "text": {
        "type": "text"
      },
      "date": {
        "type": "date"
      }
    }
  }
}

POST _aliases
{
  "actions": [
    {
      "add": {
        "index": "test_index",
        "alias": "test_alias"
      }
    }
  ]
}

POST test_index/_doc
{
  "title": "test document",
  "text": "test loremm ipsum bla bla",
  "date": "2023-10-01T00:00:00.000"
}

POST _security/role/test_role
{
  "indices": [
    {
      "names": ["test_index"],
      "privileges": ["read"]
    }
  ]
}

POST _security/user/test_user
{
  "password": "123456",
  "roles": [
    "test_role"
  ]
}

Error message strangely has both test_index and test_alias

$ curl https://localhost:9200/test_index/_search -u test_user:123456
{"took":6,"timed_out":false,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":1,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"test_index","_type":"_doc","_id":"tga5_4oBD8KslCcTTvs4","_score":1.0,"_source":{
  "title": "test document",
  "text": "test loremm ipsum bla bla",
  "date": "2023-10-01T00:00:00.000"
}
}]}}

$ curl https://localhost:9200/test_alias/_search -u test_user:123456
{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [test_user] with roles [test_role] on indices [test_alias,test_index], this action is granted by the index privileges [read,all]"}],"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [test_user] with roles [test_role] on indices [test_alias,test_index], this action is granted by the index privileges [read,all]"},"status":403}```

Any thoughts besides simply granting read privileges on both index and alias?

Best regards,

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.