WARNING: Version 2.3 of Elasticsearch has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
URL-based access control
editURL-based access control
editMany users use a proxy with URL-based access control to secure access to Elasticsearch indices. For multi-search, multi-get and bulk requests, the user has the choice of specifying an index in the URL and on each individual request within the request body. This can make URL-based access control challenging.
To prevent the user from overriding the index which has been specified in the
URL, add this setting to the config.yml
file:
rest.action.multi.allow_explicit_index: false
The default value is true
, but when set to false
, Elasticsearch will
reject requests that have an explicit index specified in the request body.