How to allow bulk create only (disallow index, delete and update)

Hello,

I'm currently evaluating X-Pack for my company and as a requirement we need:

  • any user can write data to elasticsearch using bulk API;
  • disallow any other bulk operation (index, delete and update);

Looking at the "Indices Privileges" table (here: https://www.elastic.co/guide/en/x-pack/current/security-privileges.html#privileges-list-indices),
A Role with privileges “index” and/or “create” is not able to write using Bulk API;
Bulk API only works with “write" privilege but this also allows deletion and updates (which we don’t want).

Is this a bug? It doesn’t seem correct to have only one big bag of privileges (“write”) for bulk operations.
We are testing with version 5.1.2

For performance reasons we are not interested in using any other API to upload documents - only bulk API;
Using a reverse proxy to filter this requests is not an option either: bulk operations all use POST – we would need to inspect the JSON in the message body (big performance impact);

Any help appreciated :slight_smile:
Thank you

This is not something that can be done in current versions of Elasticsearch.

Because the Bulk API can be used to create, update and delete, it is only available to users with write privileges. We don't currently apply this sort of security filtering to the content that goes through the Bulk API, so if a user was give access to the bulk API, then there would be no way of preventing them from doing deletes or updates.

We do hope to support this use case in future versions, but it is not currently possible.

Thank you for the quick reply Tim.

This is a big drawback for us since we have a set of standalone distributed clients that upload lots of information using Bulk API. For backward compatibility we need those clients to keep using bulk API which, in turn, means we cannot secure the data...

We do hope to see this supported in future versions also.

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Followup: As of Elasticsearch/X-Pack 5.3.0 it is possible to use the bulk API if you have some "modify" (create/update/delete) permissions, even if you don't have fully write permission.