Nothing in the error logs for RBAC

Hi,

I was setting up a 3rd party application and forgot to extend its role to read a new index. It took me some time (classified) while I realized my mistake. Shouldn't I be able to see the unauthorized request in the logs or I'd need to upgrade to a higher plan in order to see that?

Thanks!

You would need to enable audit logging. The error would be also visible in the response to the API call you were making.

I see. I understand that I can't get everything with a basic account, but since I (thankfully) get RBAC, I'd expect a vague entry which would indicate the source of the issue. As I described it was my mistake not checking the basics but I was like "Hey, the E+L error logs are empty, it has to be something with that app.". Again, I'm happy to have RBAC, just expected something to warn me that I messed up.
Thank you!

P.s.: The app unfortunately didn't handle the response which is a shame too, I found out the issue when I made a curl call with the app's creds and it was clear what I missed during setup:

{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [XXXXXXX]"}],"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [XXXXXXX]"},"status":403}

We do print this on DEBUG level if you set logger.org.elasticsearch.xpack.security.authz to "DEBUG"

1 Like

Thank you!