-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Elasticsearch head requests return 403 when made to readonly index. #3703
Comments
I've noticed this behavior as well using |
I'm currently having this issue, it can causes some weird situations. If I want to check for the existence of an index, e.g |
Setting
As a workaround, you can set |
While looking at elastic#3703, it looks like the usage of 'read_only' is a bit confusing. The documentation stipulates: > index.blocks.read_only > Set to true to have the index read only, false to allow writes and metadata changes. Actually, it blocks all write operations (creating, indexing or deleting a document) but also all read/write operations on index metadata. This can lead to confusion because subsequent 'indices exists' requests will return an undocumented 403 Forbidden response code where one could expect a 200 OK (as reported in elastic#3703). Same for 'type exists' and 'alias exists' requests. Similar issues have been reported: - _status elastic#2833 (deprecated in 1.2.0) - _stats elastic#5876 - /_cat/indices elastic#5855 But several API calls returns a 403 when at least one index of the cluster has 'index.blocks.read_only' set to true: DELETE /_all POST /library/book/1 { "title": "Elasticsearch: the definitive guide" } POST /movies/dvd/1 { "title": "Elasticsearch: the movie" } PUT /library/_settings { "index": { "blocks.read_only": true } } The following calls will return 403 / "ClusterBlockException[blocked by: [FORBIDDEN/5/index read-only (api)];]": HEAD /library HEAD /library/book HEAD /_all/dvd GET /library/_settings GET /library/_mappings GET /library/_warmers GET /library/_aliases GET /_settings GET /_aliases GET /_mappings GET /_cat/indices I agree to @imotov's comment (see elastic#5876 (comment)) and I think we should split the METADATA blocks in METADATA_READ & METADATA_WRITE blocks. This way the 'read_only' setting will block all write operations and metadata updates but the metadata will still be available. This is a first step in this way, closes elastic#3703
@tlrx Will this workaround to set "index.block.write: true" not fulfill the need to make the data read only? For logging data, protecting the json documents is what is needed and stopping writes (and hopefully updates and deletes as well) fulfills that need. To protect whole indexes, for example for debugging of the health of the index or whatever "elasticsearch" related need comes up, by making the whole index read only. |
This commit splits the current ClusterBlockLevel.METADATA into two disctins ClusterBlockLevel.METADATA_READ and ClusterBlockLevel.METADATA_WRITE blocks. It allows to make a distinction between an operation that modifies the index or cluster metadata and an operation that does not change any metadata. Before this commit, many operations where blocked when the cluster was read-only: Cluster Stats, Get Mappings, Get Snapshot, Get Index Settings, etc. Now those operations are allowed even when the cluster or the index is read-only. Related to elastic#8102, elastic#2833 Closes elastic#3703 Closes elastic#5855
This commit splits the current ClusterBlockLevel.METADATA into two disctins ClusterBlockLevel.METADATA_READ and ClusterBlockLevel.METADATA_WRITE blocks. It allows to make a distinction between an operation that modifies the index or cluster metadata and an operation that does not change any metadata. Before this commit, many operations where blocked when the cluster was read-only: Cluster Stats, Get Mappings, Get Snapshot, Get Index Settings, etc. Now those operations are allowed even when the cluster or the index is read-only. Related to elastic#8102, elastic#2833 Closes elastic#3703 Closes elastic#5855 Closes elastic#10521 Closes elastic#10522
This commit splits the current ClusterBlockLevel.METADATA into two disctins ClusterBlockLevel.METADATA_READ and ClusterBlockLevel.METADATA_WRITE blocks. It allows to make a distinction between an operation that modifies the index or cluster metadata and an operation that does not change any metadata. Before this commit, many operations where blocked when the cluster was read-only: Cluster Stats, Get Mappings, Get Snapshot, Get Index Settings, etc. Now those operations are allowed even when the cluster or the index is read-only. Related to elastic#8102, elastic#2833 Closes elastic#3703 Closes elastic#5855 Closes elastic#10521 Closes elastic#10522
This commit splits the current ClusterBlockLevel.METADATA into two disctins ClusterBlockLevel.METADATA_READ and ClusterBlockLevel.METADATA_WRITE blocks. It allows to make a distinction between an operation that modifies the index or cluster metadata and an operation that does not change any metadata. Before this commit, many operations where blocked when the cluster was read-only: Cluster Stats, Get Mappings, Get Snapshot, Get Index Settings, etc. Now those operations are allowed even when the cluster or the index is read-only. Related to #8102 Closes #3703 Closes #5855 Closes #10521 Closes #10522 Closes #2833
Elasticsearch head requests return 403 when made to readonly index.
curl recreation of issue here.
https://gist.github.com/paulrblakey/6580888
issue originally opened with ruflin/elastica
The text was updated successfully, but these errors were encountered: