Elasticsearch head requests return 403 when made to readonly index. #3703
Assignees
Labels
>bug
:Distributed/Distributed
A catch all label for anything in the Distributed Area. If you aren't sure, use this one.
v1.6.0
v2.0.0-beta1
Comments
ghost
assigned 
|
I've noticed this behavior as well using |
|
I'm currently having this issue, it can causes some weird situations. If I want to check for the existence of an index, e.g |
|
Setting
As a workaround, you can set |
tlrx
added a commit
to tlrx/elasticsearch
that referenced
this issue
Jan 8, 2015
While looking at elastic#3703, it looks like the usage of 'read_only' is a bit confusing. The documentation stipulates: > index.blocks.read_only > Set to true to have the index read only, false to allow writes and metadata changes. Actually, it blocks all write operations (creating, indexing or deleting a document) but also all read/write operations on index metadata. This can lead to confusion because subsequent 'indices exists' requests will return an undocumented 403 Forbidden response code where one could expect a 200 OK (as reported in elastic#3703). Same for 'type exists' and 'alias exists' requests. Similar issues have been reported: - _status elastic#2833 (deprecated in 1.2.0) - _stats elastic#5876 - /_cat/indices elastic#5855 But several API calls returns a 403 when at least one index of the cluster has 'index.blocks.read_only' set to true: DELETE /_all POST /library/book/1 { "title": "Elasticsearch: the definitive guide" } POST /movies/dvd/1 { "title": "Elasticsearch: the movie" } PUT /library/_settings { "index": { "blocks.read_only": true } } The following calls will return 403 / "ClusterBlockException[blocked by: [FORBIDDEN/5/index read-only (api)];]": HEAD /library HEAD /library/book HEAD /_all/dvd GET /library/_settings GET /library/_mappings GET /library/_warmers GET /library/_aliases GET /_settings GET /_aliases GET /_mappings GET /_cat/indices I agree to @imotov's comment (see elastic#5876 (comment)) and I think we should split the METADATA blocks in METADATA_READ & METADATA_WRITE blocks. This way the 'read_only' setting will block all write operations and metadata updates but the metadata will still be available. This is a first step in this way, closes elastic#3703
|
@tlrx Will this workaround to set "index.block.write: true" not fulfill the need to make the data read only? For logging data, protecting the json documents is what is needed and stopping writes (and hopefully updates and deletes as well) fulfills that need. To protect whole indexes, for example for debugging of the health of the index or whatever "elasticsearch" related need comes up, by making the whole index read only. |
tlrx
added a commit
to tlrx/elasticsearch
that referenced
this issue
Apr 9, 2015
This commit splits the current ClusterBlockLevel.METADATA into two disctins ClusterBlockLevel.METADATA_READ and ClusterBlockLevel.METADATA_WRITE blocks. It allows to make a distinction between an operation that modifies the index or cluster metadata and an operation that does not change any metadata. Before this commit, many operations where blocked when the cluster was read-only: Cluster Stats, Get Mappings, Get Snapshot, Get Index Settings, etc. Now those operations are allowed even when the cluster or the index is read-only. Related to elastic#8102, elastic#2833 Closes elastic#3703 Closes elastic#5855
tlrx
added a commit
to tlrx/elasticsearch
that referenced
this issue
Apr 10, 2015
This commit splits the current ClusterBlockLevel.METADATA into two disctins ClusterBlockLevel.METADATA_READ and ClusterBlockLevel.METADATA_WRITE blocks. It allows to make a distinction between an operation that modifies the index or cluster metadata and an operation that does not change any metadata. Before this commit, many operations where blocked when the cluster was read-only: Cluster Stats, Get Mappings, Get Snapshot, Get Index Settings, etc. Now those operations are allowed even when the cluster or the index is read-only. Related to elastic#8102, elastic#2833 Closes elastic#3703 Closes elastic#5855 Closes elastic#10521 Closes elastic#10522
javanna
added
v2.0.0-beta1
:Cluster
and removed
help wanted
tlrx
added a commit
to tlrx/elasticsearch
that referenced
this issue
Apr 23, 2015
This commit splits the current ClusterBlockLevel.METADATA into two disctins ClusterBlockLevel.METADATA_READ and ClusterBlockLevel.METADATA_WRITE blocks. It allows to make a distinction between an operation that modifies the index or cluster metadata and an operation that does not change any metadata. Before this commit, many operations where blocked when the cluster was read-only: Cluster Stats, Get Mappings, Get Snapshot, Get Index Settings, etc. Now those operations are allowed even when the cluster or the index is read-only. Related to elastic#8102, elastic#2833 Closes elastic#3703 Closes elastic#5855 Closes elastic#10521 Closes elastic#10522
tlrx
added a commit
that referenced
this issue
Apr 23, 2015
This commit splits the current ClusterBlockLevel.METADATA into two disctins ClusterBlockLevel.METADATA_READ and ClusterBlockLevel.METADATA_WRITE blocks. It allows to make a distinction between an operation that modifies the index or cluster metadata and an operation that does not change any metadata. Before this commit, many operations where blocked when the cluster was read-only: Cluster Stats, Get Mappings, Get Snapshot, Get Index Settings, etc. Now those operations are allowed even when the cluster or the index is read-only. Related to #8102 Closes #3703 Closes #5855 Closes #10521 Closes #10522 Closes #2833
clintongormley
added
:Distributed/Distributed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Elasticsearch head requests return 403 when made to readonly index.
curl recreation of issue here.
https://gist.github.com/paulrblakey/6580888
issue originally opened with ruflin/elastica
The text was updated successfully, but these errors were encountered: