Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Action monitor/main is unauthorized for API key #580

Closed
bartbroere opened this issue Aug 28, 2023 · 2 comments
Closed

Action monitor/main is unauthorized for API key #580

bartbroere opened this issue Aug 28, 2023 · 2 comments

Comments

@bartbroere
Copy link
Contributor

When using eland with an Elasticsearch instance that authorizes using an API key, I often get this error:

elasticsearch.AuthorizationException: AuthorizationException(403, "security_exception", "action [cluster:monitor/main] is unauthorized for API key id [...] of user [...], this action is granted by the cluster privileges [monitor,manage,all]",)

This is triggered because some functionality is switched on or off depending on the version of the Elasticsearch you are connecting to.

I can solve it in my code by first making the Elasticsearch connection, and then modifying its attribute _eland_es_version, and set it to the version number I'm using.

import elasticsearch
from eland import DataFrame

elastic_client = elasticsearch.Elasticsearch(
    "https://omitted.us-central1.gcp.cloud.es.io:443",
    api_key="...")

elastic_client._eland_es_version = (8, 9, 1)

df = DataFrame(elastic_client,
               'search-*')

Is there a different way to check the version of the Elasticsearch host, that requires less permissions perhaps?

Here's the code that determines the version number currently: https://github.com/elastic/eland/blob/f14bbaf4b0ed072ce2c74cfb2511c25c3c547cd6/eland/common.py#L318C1-L341
@droberts195
Copy link
Contributor

Action cluster:monitor/main corresponds to the root REST endpoint of Elasticsearch, i.e. /.

The clients use this to determine whether they're talking to Elasticsearch.

I think the best solution is to give your API keys permission to call this endpoint. Instead of granting a high level cluster privilege that would give wide access you should be able to just add cluster:monitor/main to the cluster privileges you're currently granting. (It's possible to use individual action names in addition to high level privilege names when creating role definitions.)

@bartbroere bartbroere mentioned this issue Aug 30, 2023
Merged
@bartbroere
Copy link
Contributor Author

@droberts195 Thanks for your reply. For an API key, setting a wider scope might be a solution. The first time I encountered this issue however, was in a corporate environment, with an Elasticsearch deployment linked to LDAP. In that case, the user might not have the luxury to be able to grant additional permissions.

In #581 I propose a small change that falls back to a default code path if the server's version cannot be determined, instead of raising the error. Maybe this can be a nice solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bartbroere @droberts195