Skip to main content
search
Error Logs

Error Log: “AuthorizationException: User lacks permissions” – The access denied error

By November 19, 2025No Comments

Error Log: This error occurs after a user has successfully authenticated (logged in) but then tries to perform an action they are not allowed to do.

None
[WARN ][o.o.s.p.PrivilegesInterceptor] [your-node-name] 
  SecurityException: 
    User [read_only_user] does not have the required permissions 
    [indices:data/write:bulk] for [indices:data/write:bulk[s]]
(org.opensearch.security.privileges.PrivilegesInterceptor)

The client will typically receive an HTTP 403 Forbidden response:
JSON

None
{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "no permissions for [indices:data/write:bulk] and User [name=read_only_user, ...]"
      }
    ],
    "type": "security_exception",
    "reason": "no permissions for [indices:data/write:bulk] and User [name=read_only_user, ...]"
  },
  "status": 403
}

Why… is this happening? This is an authorization failure, not an authentication one. The user’s login was successful, but their role does not grant them the specific permission needed for the API call they just made.

In the example above:

  • The user read_only_user successfully logged in.
  • They then tried to perform a bulk write operation.
  • The Security plugin checked their roles, found no role that grants the indices:data/write:bulk permission, and therefore blocked the request with an AuthorizationException.

Best Practice:

  1. Read the Error: The error message is very specific. It tells you the User (read_only_user) and the exact Permission they are missing (indices:data/write:bulk).
  2. Check Role Mappings: Your first step is to check roles_mapping.yml (or the equivalent section in OpenSearch Dashboards). Find the user and see which roles they are mapped to.
    • Internal Users: The mapping might be directly in internal_users.yml under the roles: key.
    • External Users (LDAP/SAML): The mapping will be in roles_mapping.yml under the backend_roles: or users: key.
  3. Check Roles: Once you know the user’s roles, check roles.yml (or the Roles UI in Dashboards). Look at each role and inspect its index_permissions and cluster_permissions.
  4. Add the Permission: To fix this, you must edit the correct role (in roles.yml) and add the missing permission to the appropriate allowed_actions list.
  5. Reload Security Settings: After editing roles.yml or roles_mapping.yml, you must run the securityadmin.sh script to apply the changes to the cluster. (If you make changes in the Dashboards UI, this is done for you).

What else can I do? Creating the “least privilege” roles can be complex. If you’re not sure which permissions to add or how to structure your roles, ask the OpenSearch community for examples. For help designing a complete security and tenancy model, contact us in The OpenSearch Slack Channel in #General.

Author