Description
openedon Feb 24, 2023
In Elasticsearch 8.0, direct access to system indices was intentionally made much more difficult by Elasticsearch. Kibana uses system indices (.watches
and .watcher_history
) for the "Watcher" part of Stack Management. It looks like it makes a request to _security/user/has_privileges
for the .watches and .watcher_history system indices, and only shows the Watcher link if the user has read access to them. And then it does a search request directly on the .watches index. The problem is that, due to the changes in Elasticsearch in 8.0, users have to add that read privilege to their role using the "allow_restricted_indices" flag like this:
curl -k -u elastic:password -X POST "localhost:9200/_security/role/my_watcher_admin_role?pretty" -H 'Content-Type: application/json' -d'
{
"indices": [
{
"names": [ ".watches", ".watcher_history" ],
"privileges": ["read"],
"allow_restricted_indices": true
}
]
}
'
But I don't think that Kibana will let you use that flag (I could be wrong).
I think this can now be done without accessing system indices at all. There is now an API for fetching all watches (elastic/elasticsearch#64582) that does not require permission to read any system indices directly. If it can't be done without direct access to those indices then the @elastic/es-data-management team probably needs to add whatever is missing.