Role is reserved the relevant role definition in the mapping file will be ignored – How to solve this Elasticsearch error

Opster Team

Aug-23, Version: 6.8-7.15

Briefly, this error occurs when you attempt to modify a reserved role in Elasticsearch. Reserved roles are built-in and cannot be changed. They are used for specific cluster operations and security. To resolve this issue, you can either use the reserved role as it is, or create a new custom role with the desired permissions. Remember, reserved roles are designed to provide a certain level of access and security, so altering them might affect the system’s stability.

In addition we recommend you run the Elasticsearch Template Optimizer to fix problems in your data modeling.

It will analyze your templates to detect issues and improve search performance, reduce indexing bottlenecks and optimize storage utilization. The Template Optimizer is free and requires no installation.

Log Context

Log “role [{}] is reserved. the relevant role definition in the mapping file will be ignored” classname is FileRolesStore.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :

                    new MemoizedSupplier(() -> licenseState.checkFeature(Feature.SECURITY_DLS_FLS));
                for (String segment : roleSegments) {
                    RoleDescriptor descriptor = parseRoleDescriptor(segment; path; logger; resolvePermission; settings; xContentRegistry);
                    if (descriptor != null) {
                        if (ReservedRolesStore.isReserved(descriptor.getName())) {
                            logger.warn("role [{}] is reserved. the relevant role definition in the mapping file will be ignored";
                                    descriptor.getName());
                        } else if (descriptor.isUsingDocumentOrFieldLevelSecurity() && licenseChecker.get() == false) {
                            logger.warn("role [{}] uses document and/or field level security; which is not enabled by the current license" +
                                    ". this role will be ignored"; descriptor.getName());
                            // we still put the role in the map to avoid unnecessary negative lookups

 

How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?