we upgraded ror from 1.19.2 -> 1.19.5 and _snapshot endpoint is not allowed anymore, not even with full permissions. Repository creation and _cat/snapshots works. The strange thing is that ROR doesn’t even log the forbidden message to log, I only see it from client side.
config:
readonlyrest:
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
access_control_rules:
- name: “elastic”
auth_key_sha256: “”
type: allow
message: {"error":{"root_cause":[{"reason":"Forbidden by ReadonlyREST ES plugin","due_to":["OPERATION_NOT_ALLOWED"]}],"reason":"Forbidden by ReadonlyREST ES plugin","due_to":["OPERATION_NOT_ALLOWED"],"status":403}}
I am facing similar issue during “PUT _index_template” API when using readonlyrest-1.20.0_es7.8.0.
I am getting the following error message when I try uploading a template with users having full permission sets, while elasticsearch logs say that the access was granted: {"error":{"root_cause":[{"reason":"Forbidden: restricted access area","due_to":["OPERATION_NOT_ALLOWED"]}],"reason":"Forbidden: restricted access area","due_to":["OPERATION_NOT_ALLOWED"],"status":401}}
I’m going to take care of it this week. As soon as I have this fix, I’ll send you a prebuild to test.
This fix will be probably released together with ROR 1.21.0. I’m planning to do two fixes (including this one) and we’ll be ready to release. Maybe this weekend.
@kkt2mail if you are interested in prebuild, please let me know what version of ES you use.
I am seeing this same issue, trying to access: /_snapshot with full permissions returns an OPERATION_NOT_ALLOWED error. This is in ES 6.8.12 with the ror version: readonlyrest-1.22.1_es6.8.12.zip. Is the fix going to be releases soon?
OK, Replying to myself. It works if I use _all i.e: _snapshot/_all, this allow me to workaround the issue, but still the original behavior is a bit unexpected.
We just upgraded to the same versions of both ror and ES (readonlyrest-1.22.1_es6.8.12), and are encountering the same issue. Thanks for the workaround!