I was implementing least privileges on ElasticSearch using an IP-based access policy using deny ESHttpDelete. It was discovered, in running some code, that helpers.scan() raised this error:
{"Message":"User: anonymous is not authorized to perform: es:ESHttpDelete with an explicit deny in a resource-based policy"}
That would be expected if a delete was trying to be performed. I can't find anything in the documentation for this function helpers.scan(client, index=index_name, search_body) that would have it deleting anything. Helpers.scan() doesn't do anything with delete, and the query provided by search_body doesn't contain anything that would indicate it is using ESHttpDelete.
As a fix, someone replaced helpers.scan() with client.search(index=index_name,body=search_body,scroll=, size=10000), however, it seems that this solution isn't doing the same thing, and seems to be returning a different amount of results. Perhaps it has to do with the size parameter, not sure. I don't think he is iterating through to make sure he produces all the results in the final file, as the original code didn't have a size limitation.
I'm looking for help to put this back to the original code so the results stay the same, or to make the client.search() produce the same as helpers.scan(). I know I didn't give you all the code that comprises search_body. Thanks!
