Description
Logstash information:
Please include the following information:
- Logstash version 8.16.1
- Logstash installation source? rpm
- How is Logstash being run? Systemd
- How was the Logstash Plugin installed? embedded plugin logstash-input-elasticsearch-4.20.4
JVM (e.g. java -version): openjdk version 21.0.5
OS version (uname -a if on a Unix-like system): Linux 5.15.0-303.171.5.2.1.el8uek.x86_64
Description of the problem including expected versus actual behavior:
Expected behavior:
the logstash pipeline will successfully query the indices that are mapped to the alias ".siem-signals-default".
Reality:
The pipeline fails to query and there is a 403 unauthorized error in the log despite the logstash_custom role having permissions to those indices. Verified by successfully running the same query in cURL with a user using the same role. Adding the index name to the logstash_writer role permissions solves the issue
Steps to reproduce:
Create a LS pipeline that reads from a hidden alias such as ".siem-signals-default".
Please include a minimal but complete recreation of the problem,
including (e.g.) pipeline definition(s), settings, locale, etc. The easier
you make for us to reproduce it, the more likely that somebody will take the
time to look at it.
- Logstash_internal user with logstash_custom role:
- logstash_writer role with ".siem-signals-default" read permissions:
- Pipeline being tested:
Provide logs (if relevant):
Error in log on pipeline execution:
Extra notes:
cURLing with this query and user/role gave successful results.
adding new test aliases to the index pattern and user role and attempting to query those from the LS pipeline also failed.
The aliases are assigned by the index template.
screenshot of alias settings:
GET .siem-signals-default/_alias :
