Nothing in the error logs for RBAC


I was setting up a 3rd party application and forgot to extend its role to read a new index. It took me some time (classified) while I realized my mistake. Shouldn't I be able to see the unauthorized request in the logs or I'd need to upgrade to a higher plan in order to see that?


You would need to enable audit logging. The error would be also visible in the response to the API call you were making.

I see. I understand that I can't get everything with a basic account, but since I (thankfully) get RBAC, I'd expect a vague entry which would indicate the source of the issue. As I described it was my mistake not checking the basics but I was like "Hey, the E+L error logs are empty, it has to be something with that app.". Again, I'm happy to have RBAC, just expected something to warn me that I messed up.
Thank you!

P.s.: The app unfortunately didn't handle the response which is a shame too, I found out the issue when I made a curl call with the app's creds and it was clear what I missed during setup:

{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [XXXXXXX]"}],"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [XXXXXXX]"},"status":403}

We do print this on DEBUG level if you set to "DEBUG"

1 Like

Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.