Cluster level permissions needed for CSV export

Elasticsearch version: 7.6.2

Describe the issue: If I want to export search results in Kibana as CSV, I need indices:data/read/scroll/clear permission on the cluster, even if I have SGS_READ permissions on the indice for which I’m exporting data.

Expected behavior: I would expect to be able to generate the CSV, since SGS_READ has indices:data/read* permissions on the indice.

Provide logs:
[c.f.s.p.PrivilegesEvaluator] [node1] No cluster-level perm match for User [name=user1, backend_roles=[lots_of_roles], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [indices:data/read/scroll/clear]] [RolesChecked [custom_role, SGS_KIBANA_USER]]

If I assign a cluster level permissions for the role, I can generate the report without a problem. Is that expected behaviour?

I noticed similar issue in Add certain permissions to a user - #8 by victorvic.

This is expected behaviour indeed.

Index privileges only apply for action requests which carry index names. The clear scroll API does not carry index names, but only cursor IDs (see Clear scroll API | Elasticsearch Guide [8.4] | Elastic ).

Thus, despite its name, indices:data/read/scroll/clear needs to be considered as a cluster action.

Thanks for clearing that up. Makes sense and your answer will help me debug some other issues I had with permissions.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.