Superuser doesn't have access to read a document?

Elastic Stack Elasticsearch
1

This is my user's privileges

{
  "cluster" : [
    "all"
  ],
  "global" : [ ],
  "indices" : [
    {
      "names" : [
        "*"
      ],
      "privileges" : [
        "all"
      ],
      "allow_restricted_indices" : true
    }
  ],
  "applications" : [
    {
      "application" : "*",
      "privileges" : [
        "*"
      ],
      "resources" : [
        "*"
      ]
    }
  ],
  "run_as" : [
    "*"
  ]
}

It's a super user.

But somehow when i try to access an index for example the metricbeat index i get 403 Forbidden.

Error message:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:data/read/get] is unauthorized for user [elastic] with roles [superuser], this action is granted by the index privileges [read,all]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [indices:data/read/get] is unauthorized for user [elastic] with roles [superuser], this action is granted by the index privileges [read,all]",
    "caused_by" : {
      "type" : "illegal_state_exception",
      "reason" : "There are no external requests known to support wildcards that don't support replacing their indices"
    }
  },
  "status" : 403
}

Thanks in advance

2

This message has been improved in more recent versions of Elasticsearch. It typically means that you're passing a wildcard (*) to the get API (e.g. GET /metricbeat-*/_doc/1) which is not allowed.

1 Like
3

Thanks! So i cannot specify wildcards in the URL path for indices ever, right?

4

Hi @panagiss

To be more precise you can not use * when you are doing a GET by document _id, you can't use a wildcard with when searching by _id you must provide the individual index (or alias)

Incorrect Syntax
GET /filebeat-*/_doc/1JbB83oBFS-aXHYZYwPk

Correct Syntax
GET /filebeat-7.13.4-2021.07.29-000001/_doc/1JbB83oBFS-aXHYZYwPk

Correct Syntax
GET /filebeat-*/_search

2 Likes
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.