I’m getting an error in my Elasticsearch logs telling me that one of my roles has index privileges covering an alias that don’t cover some of the pointed-to indices… but it doesn’t make a lot of sense, given that the configuration of the role should cover the pointed-to indices as well, and I’d love if someone might bonk me on the head and tell me what I’m missing.
The error I’m getting is:
Role [logstash_writer] contains index privileges covering the [logstash] alias but which do not cover some of the indices that it points to [logstash-2025.04.17-000281, logstash-2025.04.24-000282, logstash-2025.05.01-000283, logstash-2025.05.08-000284, logstash-2025.05.15-000285, logstash-2025.05.22-000286, logstash-2025.05.29-000287, logstash-2025.06.05-000288, logstash-2025.06.12-000289, logstash-2025.06.19-000290, logstash-2025.06.26-000291, logstash-2025.07.03-000292, logstash-2025.07.10-000293, logstash-2025.07.17-000294, logstash-2025.07.24-000295, logstash-2025.07.31-000296, logstash-2025.08.07-000297, logstash-2025.08.14-000298, logstash-2025.08.21-000299, logstash-2025.08.28-000300, logstash-2025.09.04-000301, logstash-2025.09.11-000302, logstash-2025.09.18-000303, logstash-2025.09.25-000304, logstash-2025.10.02-000305, logstash-2025.10.09-000306, logstash-2025.10.16-000307]. Granting privileges over an alias and hence granting privileges over all the indices that the alias points to is deprecated and will be removed in a future version of Elasticsearch. Instead define permissions exclusively on index names or index name patterns.
I obviously have that logstash alias that points to 27 different indices, all of which are named logstash-*.
The logstash_writer role is configured as such (this is the output of just querying the API for the role):
{
"logstash_writer": {
"cluster": [
"manage_index_templates",
"monitor"
],
"indices": [
{
"names": [
"logstash-*",
"logstash*"
],
"privileges": [
"create",
"create_index",
"write",
"manage",
"manage_ilm"
],
"allow_restricted_indices": false
}
],
"applications": [],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}
And I’d think that those two listed names would cover both the alias and the actual index names.
Note that I previously had this role defined with just the logstash* name, which I’d also think would cover both the alias and the actual index names, but added the name with the dash in it just to see if it helped… and the error still shows up in the logs.
And then note that I also tried to define the role with just the index name pattern with the dash (logstash-*), but then logstash won’t write to Elasticsearch, since the output plugin is configured with the name of the alias, not the currently write index that the alias points to.
So… I’m sure I’m missing something here, but can’t figure out what! Help?