POST /my-index-000001/_clone/cloned-my-index-000001
Using an unrestricted user adding the write block and attempting to clone, the logs report the following 3 ALLOWED actions: ACT:indices:admin/get ACT:indices:admin/block/add ACT:indices:admin/resize
Then the script fails with: elasticsearch.exceptions.AuthenticationException: AuthenticationException(401, {'root_cause': [{'reason': 'forbidden', 'due_to': ['OPERATION_NOT_ALLOWED']}], 'reason': 'forbidden', 'due_to': ['OPERATION_NOT_ALLOWED'], 'status': 401}, 'forbidden')
but the logs do not include a FORBIDDEN or ALLOWED operation so I am unable to figure out what the issue is.
Does the filter block all actions by default and only allow specified operations. The indices:admin/block/add operation does not seem to be in the elasticsearch documentation either so I wonder if some action strings are getting missed and then blocked by default.
It’s really strange you don’t get a “FORBIDDEN” log line when ROR returns a 401. Have you tweaked the log4j settings? Are you able to produce a “FORBIDDEN” log line under normal circumstances when you try with cURL or something?
In trying to figure out which actions I needed to allow, the 3 actions I listed initially produced a forbidden result in the logs. I added them to the access control policy and they went into allowed state in the logs, but the process still returned a 401 with no additional log output.
@coutoPL do I recall correctly we have a catch-all “FORBIDDEN” response when we have a crash in the ACL? If yes, how about logging more info where it crashed?
for most cases ROR is going to inform you in logs that sth was wrong. Sometimes also helps enabling debug logs.
Maybe I have a good news for you. Recently, we have fixed issue with ES reindex request, which is used also by ES _clone API. Please try this pre-build