Update by query rejected despite having index privilege on index alias

I have a set of concrete indexes named like myindex-v1 with aliases like myindex. For my roles, I've granted privileges as needed to all of the aliases and not the concrete indexes. That all works fine except when I attempt an update by query operation. For that, I get an error like:

{"index":"myindex-v1","type":"_doc","id":"n84CR3kBdB1sHUuGSQZl","cause":{"type":"security_exception","reason":"action [indices:data/write/bulk[s]] is unauthorized for user [apiuser] run as [logged-in-user]"},"status":403}

I am indeed using the run-as functionality, just to confirm the error. The logged-in-user does have the proper role assigned. If I add the concrete index to the index privilege for the role, the update by query operation runs successfully.

Since the concrete index is shown in the error, is there something inherent about update by query that requires privileges on the concrete index, or is this unintended behavior?

The alias will resolved to 1 (or more) underlying indices, so yes it needs access to those for the writes.

Thank you for confirming, but in that case, the update by query API documentation is at least misleading, if not flatly incorrect:

Prerequisites

  • If the Elasticsearch security features are enabled, you must have the following index privileges for the target data stream, index, or index alias:

    • read
    • index or write

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.