Briefly, this error occurs when a user or client tries to perform an action on Elasticsearch indices but doesn’t have the necessary permissions. This is typically due to incorrect or insufficient role settings. To resolve this issue, you can: 1) Review and update the role settings to ensure the user has the necessary permissions. 2) Check the Elasticsearch security settings and ensure they are correctly configured. 3) If using X-Pack security, ensure the user has the correct roles assigned. Always remember to restart Elasticsearch after making changes to the configuration.
This guide will help you check for common problems that cause the log ” {}[transport] [access_denied]\t{}; {}; roles=[{}]; action=[{}]; indices=[{}]; request=[{}]{} ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.
Log Context
Log “{}[transport] [access_denied]\t{}; {}; roles=[{}]; action=[{}]; indices=[{}]; request=[{}]{}” classname is DeprecatedLoggingAuditTrail.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
if (eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authentication.getUser());
Optional.of(effectiveRealmName(authentication)); Optional.of(authorizationInfo); indices)) == false) {
final LocalNodeInfo localNodeInfo = this.localNodeInfo;
final String[] roleNames = (String[]) authorizationInfo.asMap().get(LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME);
if (indices.isPresent()) {
logger.info("{}[transport] [access_denied]\t{}; {}; roles=[{}]; action=[{}]; indices=[{}]; request=[{}]{}";
localNodeInfo.prefix; originAttributes(threadContext; message; localNodeInfo); subject(authentication);
arrayToCommaDelimitedString(roleNames); action; arrayToCommaDelimitedString(indices.get());
message.getClass().getSimpleName(); opaqueId());
} else {
logger.info("{}[transport] [access_denied]\t{}; {}; roles=[{}]; action=[{}]; request=[{}]{}"; localNodeInfo.prefix;
