Is this a bug? It doesn’t seem correct to have only one big bag of privileges (“write”) for bulk operations.
We are testing with version 5.1.2
For performance reasons we are not interested in using any other API to upload documents - only bulk API;
Using a reverse proxy to filter this requests is not an option either: bulk operations all use POST – we would need to inspect the JSON in the message body (big performance impact);
This is not something that can be done in current versions of Elasticsearch.
Because the Bulk API can be used to create, update and delete, it is only available to users with write privileges. We don't currently apply this sort of security filtering to the content that goes through the Bulk API, so if a user was give access to the bulk API, then there would be no way of preventing them from doing deletes or updates.
We do hope to support this use case in future versions, but it is not currently possible.
This is a big drawback for us since we have a set of standalone distributed clients that upload lots of information using Bulk API. For backward compatibility we need those clients to keep using bulk API which, in turn, means we cannot secure the data...
We do hope to see this supported in future versions also.
Followup: As of Elasticsearch/X-Pack 5.3.0 it is possible to use the bulk API if you have some "modify" (create/update/delete) permissions, even if you don't have fully write permission.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
