Using clone API fails with 401 but generates no logs

Using Elasticserch: 7.9.1-1
and ROR: Pro-1.24.0_es7.8.1

I am unable to perform the clone operation: Clone index API | Elasticsearch Guide [7.9] | Elastic

POST /my-index-000001/_clone/cloned-my-index-000001

Using an unrestricted user adding the write block and attempting to clone, the logs report the following 3 ALLOWED actions:

Then the script fails with:
elasticsearch.exceptions.AuthenticationException: AuthenticationException(401, {'root_cause': [{'reason': 'forbidden', 'due_to': ['OPERATION_NOT_ALLOWED']}], 'reason': 'forbidden', 'due_to': ['OPERATION_NOT_ALLOWED'], 'status': 401}, 'forbidden')

but the logs do not include a FORBIDDEN or ALLOWED operation so I am unable to figure out what the issue is.

Does the filter block all actions by default and only allow specified operations. The
indices:admin/block/add operation does not seem to be in the elasticsearch documentation either so I wonder if some action strings are getting missed and then blocked by default.

Hi @rsmith, thanks for reaching out. We do have the indices:admin/block/add listed.

It’s really strange you don’t get a “FORBIDDEN” log line when ROR returns a 401. Have you tweaked the log4j settings? Are you able to produce a “FORBIDDEN” log line under normal circumstances when you try with cURL or something?

I haven’t changed the log4j settings.

In trying to figure out which actions I needed to allow, the 3 actions I listed initially produced a forbidden result in the logs. I added them to the access control policy and they went into allowed state in the logs, but the process still returned a 401 with no additional log output.

I have found your action lists: readonlyrest-docs/actionstrings at master · beshu-tech/readonlyrest-docs · GitHub but it is hard to know which action string a particular operation triggers if I can’t see the denied action in the logs.

@coutoPL do I recall correctly we have a catch-all “FORBIDDEN” response when we have a crash in the ACL? If yes, how about logging more info where it crashed?

for most cases ROR is going to inform you in logs that sth was wrong. Sometimes also helps enabling debug logs.

Maybe I have a good news for you. Recently, we have fixed issue with ES reindex request, which is used also by ES _clone API. Please try this pre-build

1 Like