Updating role privileges is not effective

kpe · July 15, 2021, 2:11pm

Hello,

I've set an api_key to manage an index but I'm getting this error :

Error: [403] {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for API key id [******] of user [logstash_internal] on indices [services_kpis], this action is granted by the index privileges [read,all]"}],"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for API key id [******] of user [logstash_internal] on indices [services_kpis], this action is granted by the index privileges [read,all]"},"status":403}
  Exception: Elasticsearch::Transport::Transport::Errors::Forbidden

Then I've added the missing privileges "read" but still the same error.

curl -sS -H "Authorization: ApiKey *******" https://localhost:9200/_security/role/logstash_writer | jq -r '.logstash_writer | .cluster, .indices'
[
  "manage_index_templates",
  "monitor",
  "manage_ilm",
  "manage_api_key",
  "manage_own_api_key"
]
[
  {
    "names": [
        "services_kpis"
    ],
    "privileges": [
      "write",
      "create",
      "delete",
      "create_index",
      "manage",
      "manage_ilm",
      "create_doc",
      "view_index_metadata",
      "read"
    ],
    "allow_restricted_indices": false
  }
]

Why isn't directly effective ? If we have to restart all processes it's a shame...

Regards,
Kevin

Yang_Wang · July 16, 2021, 12:14am

An API key's privileges are immutable after its initial creation. It basically takes a snapshot of the creator's privileges at creation time. If you update the creator's roles afterwards, you need create a new API key to reflect the changes.

kpe · July 16, 2021, 8:52am

Thanks for your reply. Maybe we could add a note in the Create API key documentation

system · August 13, 2021, 8:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.