User Not Permitted to Check If Index Exists

Elastic Stack Elasticsearch
1

Hi,

I have a current role mapping of

"es_write_only" : {
    "cluster" : [
      "all"
    ],
    "indices" : [
      {
        "names" : [
          "*"
        ],
        "privileges" : [
          "all"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "*",
        "privileges" : [
          "8"
        ],
        "resources" : [
          "all"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }

But the user with this role isn't allowed to check if the index exists via the python elasticsearch client. I'm getting a 403 error.

Any ideas?

Thanks,
Ry

2

It doesn't look like the role is the actual cause of your problem, that role permits everything.

Can you please provide a complete example?

3

Hi Tim,

I made a mistake under applications, the privileges was set to 8 instead of *. This setting works now.

But how can I make restrictions such as only allowing the following privileges on indices:
"privileges": ["write", "create_index", "create", "index", "read"]

and still be able to check if the index exists? Is the permission under applications or indices? With the provided privileges, I'm getting a permissions error.

Thanks,
Ry

4

Here are the settings and result
create role with limited index privileges

curl -X PUT "elastic:changeme@localhost:9200/_security/role/es_write_only" -H 'Content-Type: application/json' -d'
{
  "cluster" : [
      "all"
    ],
    "indices" : [
      {
        "names" : [
          "*"
        ],
        "privileges": ["write", "create_index", "create", "index", "read"],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "*",
        "privileges" : [
          "*"
        ],
        "resources" : [
          "all"
        ]
      }
    ]
}
'

assign role to user

curl -X POST "elastic:changeme@localhost:9200/_security/user/some_app" -H 'Content-Type: application/json' -d'
{
  "password" : "testtest",
  "roles" : [ "es_write_only"]
}
'

elastic user to show all indices

curl elastic:changeme@localhost:9200/_cat/indices?v
health status index                uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .kibana_1            zTZKCuXAQauxZJG0acOJGA   1   0          5            1     39.4kb         39.4kb
green  open   .security-7          600qyaUsQB2u_dRtm_tBvA   1   0          6            6     34.3kb         34.3kb
yellow open   unspecified-abc UxEc8jzSRMyYvMti68ENiA   1   1        274            0    157.2kb        157.2kb
green  open   .kibana_task_manager yyEJyEY_SjmEmvTWP3fUow   1   0          2            0     29.6kb         29.6kb

use some_app user to check if unspecified-abc exists

curl -I some_app:testtest@localhost:9200/unspecified-abc
HTTP/1.1 403 Forbidden
content-type: application/json; charset=UTF-8
content-length: 245
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.