Elasticsearch version (bin/elasticsearch --version): Latest elasticsearch-8.0.0-SNAPSHOT-darwin-x86_64.tar.gz
Plugins installed: []
JVM version (java -version):
openjdk version "15.0.1" 2020-10-20
OpenJDK Runtime Environment AdoptOpenJDK (build 15.0.1+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 15.0.1+9, mixed mode, sharing)
OS version (uname -a if on a Unix-like system):
Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 x86_64
Description of the problem including expected versus actual behavior:
The manage_index_templates cluster privilege lets a user run the following APIs:
However, the authorization error returned by these APIs does not list manage_index_templates as a privilege.
Steps to reproduce:
- As the
elastic user, create a mytest role with no cluster privileges:
POST _security/role/mytest
{
"cluster": [
],
"indices": [ ]
}
- As the
elastic user, create a test user with the mytest role:
POST _security/user/test
{
"password" : "...",
"roles" : [ "mytest" ]
}
- Use one of the above APIs as the
test user. For example, use the put composable index template API:
PUT _index_template/template_1
{
"index_patterns" : ["te*"],
"priority" : 1
}
The request returns the following error message. manage_index_templates should be in the list of privileges but is not included. Only manage,all are listed.
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "action [indices:admin/index_template/put] is unauthorized for user [test], this action is granted by the privileges [manage,all]"
}
],
"type" : "security_exception",
"reason" : "action [indices:admin/index_template/put] is unauthorized for user [test], this action is granted by the privileges [manage,all]"
},
"status" : 403
}
- As the
elastic user, add the manage_index_templates cluster privilege to the mytest role :
POST _security/role/mytest
{
"cluster": [
"manage_index_templates"
],
"indices": [ ]
}
- As the
test user, use the above API again. This time, the attempt will succeed.
PUT _index_template/template_1
{
"index_patterns" : ["te*"],
"priority" : 1
}
Elasticsearch version (
bin/elasticsearch --version): Latestelasticsearch-8.0.0-SNAPSHOT-darwin-x86_64.tar.gzPlugins installed: []
JVM version (
java -version):openjdk version "15.0.1" 2020-10-20
OpenJDK Runtime Environment AdoptOpenJDK (build 15.0.1+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 15.0.1+9, mixed mode, sharing)
OS version (
uname -aif on a Unix-like system):Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 x86_64
Description of the problem including expected versus actual behavior:
The
manage_index_templatescluster privilege lets a user run the following APIs:However, the authorization error returned by these APIs does not list
manage_index_templatesas a privilege.Steps to reproduce:
elasticuser, create amytestrole with no cluster privileges:elasticuser, create atestuser with themytestrole:testuser. For example, use the put composable index template API:The request returns the following error message.
manage_index_templatesshould be in the list of privileges but is not included. Onlymanage,allare listed.elasticuser, add themanage_index_templatescluster privilege to themytestrole :testuser, use the above API again. This time, the attempt will succeed.