Hi. What would be best practice for granting read security privileges on index with alias on Elasticsearch 7.17?
Granting read privilege only on alias is deprecated but granting read privilege only on index isn't working when accessing that index through alias with misleading error messages.
PUT test_index
{
"mappings": {
"properties": {
"title": {
"type": "keyword"
},
"text": {
"type": "text"
},
"date": {
"type": "date"
}
}
}
}
POST _aliases
{
"actions": [
{
"add": {
"index": "test_index",
"alias": "test_alias"
}
}
]
}
POST test_index/_doc
{
"title": "test document",
"text": "test loremm ipsum bla bla",
"date": "2023-10-01T00:00:00.000"
}
POST _security/role/test_role
{
"indices": [
{
"names": ["test_index"],
"privileges": ["read"]
}
]
}
POST _security/user/test_user
{
"password": "123456",
"roles": [
"test_role"
]
}
Error message strangely has both test_index and test_alias
$ curl https://localhost:9200/test_index/_search -u test_user:123456
{"took":6,"timed_out":false,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":1,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"test_index","_type":"_doc","_id":"tga5_4oBD8KslCcTTvs4","_score":1.0,"_source":{
"title": "test document",
"text": "test loremm ipsum bla bla",
"date": "2023-10-01T00:00:00.000"
}
}]}}
$ curl https://localhost:9200/test_alias/_search -u test_user:123456
{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [test_user] with roles [test_role] on indices [test_alias,test_index], this action is granted by the index privileges [read,all]"}],"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [test_user] with roles [test_role] on indices [test_alias,test_index], this action is granted by the index privileges [read,all]"},"status":403}```
Any thoughts besides simply granting read privileges on both index and alias?
Best regards,