Reg: Cluster Privileges for Snapshots - Permission issue


(Karthik Ramachandran) #1

We are using Azure Repository Plugin (ES 6.2.1) for snapshotting, and use curator actions for snapshot action. But, the action is error'ing out as below

action [cluster:admin/repository/get] is unauthorized for user
Error from DEBUG log
2018-05-16 22:50:48,369 DEBUG elasticsearch log_request_fail:110 < {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/repository/get] is unauthorized for user [curator]"}],"type":"security_exception","reason":"action [cluster:admin/repository/get] is unauthorized for user [curator]"},"status":403}

The user that curator uses to perform snapshot has below privileges

{
"cluster": ["manage"],
"indices": [
{
"names": ["*"],
"privileges": ["monitor", "delete_index"]
}
],
"run_as": [],
"metadata": {}
}

Shouldn't "manage" help in posting snapshot by curator? Giving "all" would be more as it provides restarting capabilities.

Referring to documentation
https://www.elastic.co/guide/en/x-pack/current/security-privileges.html


(Tim Vernum) #2

manage should do what you need. Are you sure that your curator used is configured correctly?

The Authenticate API can help diagnose which roles a user has.

The documentation is not very clear on this point, but manage can do everything that all can do, except manage security.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.