Superuser doesn't have access to read a document?

panagiss · July 31, 2021, 2:51pm

This is my user's privileges

{
  "cluster" : [
    "all"
  ],
  "global" : [ ],
  "indices" : [
    {
      "names" : [
        "*"
      ],
      "privileges" : [
        "all"
      ],
      "allow_restricted_indices" : true
    }
  ],
  "applications" : [
    {
      "application" : "*",
      "privileges" : [
        "*"
      ],
      "resources" : [
        "*"
      ]
    }
  ],
  "run_as" : [
    "*"
  ]
}

It's a super user.

But somehow when i try to access an index for example the metricbeat index i get 403 Forbidden.

Error message:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:data/read/get] is unauthorized for user [elastic] with roles [superuser], this action is granted by the index privileges [read,all]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [indices:data/read/get] is unauthorized for user [elastic] with roles [superuser], this action is granted by the index privileges [read,all]",
    "caused_by" : {
      "type" : "illegal_state_exception",
      "reason" : "There are no external requests known to support wildcards that don't support replacing their indices"
    }
  },
  "status" : 403
}

Thanks in advance

TimV · August 1, 2021, 12:20pm

This message has been improved in more recent versions of Elasticsearch. It typically means that you're passing a wildcard (*) to the get API (e.g. GET /metricbeat-*/_doc/1) which is not allowed.

panagiss · August 2, 2021, 11:20am

Thanks! So i cannot specify wildcards in the URL path for indices ever, right?

stephenb · August 2, 2021, 1:43pm

Hi @panagiss

To be more precise you can not use * when you are doing a GET by document _id, you can't use a wildcard with when searching by _id you must provide the individual index (or alias)

Incorrect Syntax
GET /filebeat-*/_doc/1JbB83oBFS-aXHYZYwPk

Correct Syntax
GET /filebeat-7.13.4-2021.07.29-000001/_doc/1JbB83oBFS-aXHYZYwPk

Correct Syntax
GET /filebeat-*/_search

system · August 30, 2021, 1:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authorization Exception for SuperUser Elasticsearch elastic-stack-security	6	2525	September 21, 2020
There are no external requests known to support wildcards that don't support replacing their indices Elasticsearch	4	1898	February 12, 2021
Field and Document Level Security Limitations Elasticsearch	6	1785	March 8, 2017
To solve an error Kibana elastic-stack-security , elastic-stack-alerting	2	133	March 14, 2024
No 403 response if user is not allowed to read index Elasticsearch	3	708	May 23, 2017

Superuser doesn't have access to read a document?

Related topics