_xpack write, create, index permission - Confusing


Does all the above allow to create a indice to give user.

I'm trying to figure out what permission would allow a user only to add, update and delete documents - but doesn't allow to create a indice.

I thought write would do, but I do see index getting created. All three have update mapping permission :frowning:

Hmm. Looks like the issue is different than what is observed. Will follow with more details

Below is the scenario. Not sure if it is a bug or intended
We were in ES Stack 6.2 (ES, Logstash, Kibana), and want to move to 6.3. Given that it is dev, and keeping data is not a constraint, and were trying 6.3 we removed ES in full + redeployed. We kept logstash running and it was trying to send data to ES.


  • Deployed ES 6.3 cluster (No license applied, No users created etc.)
  • The existing logstash that continued to send data using native user (logstash_user/passsword) is expected to fail, but, it created indices in elastic though the elastic output plugin had user/password setting in it.
  • Applied license
  • Thought of checking what the issue is by deleting the indices created by logstash. Now logstash didn't create any indice as expected.
  • Removed License
  • tried to create indices using below statement
    curl -k -XPUT https://<>:9200/test1 -u nonexistinguser:nonexistingpassword

QUESTION: How the user is authenticated. Shouldn't the ES call fail irrespective of whether license is applied or not.!

curl -k -XGET https://<>:9200/_cat/indices -u nonexistinguser:nonexistingpassword
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [nonexistinguser] for REST request [/test1]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"unable to authenticate user [nonexistinguser] for REST request [/test1]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}

QUESTION: Why _cat/indices fail with security error now. Shouldn't it behave the same way as earlier

If you start a cluster without applying any license, then it starts with a basic license, which includes only the free features of X-Pack. That does not include security.

If your configuration file explicitly tries to enable security then you will get an error, but if you leave the security setting unset, then the default behaviour will depend on the license type, and for basic that default is disabled.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.