This error occurs when a user lacks the required cluster-level permissions to modify Elasticsearch cluster settings. The error indicates that the user's role does not have the cluster:admin/settings/update privilege, which is needed to change dynamic cluster settings like monitoring configuration or transient settings.
Elasticsearch has role-based access control (RBAC) that restricts which users can perform cluster-level administrative operations. The cluster:admin/settings/update action is a privileged operation that allows users to modify dynamic cluster settings. When a user without this permission attempts to change cluster settings (for example, enabling monitoring or adjusting transient settings), Elasticsearch throws an AccessDeniedException. This is a security feature designed to prevent unauthorized configuration changes.
First, determine which user is encountering the error and what roles they are assigned. You can check this in Kibana:
1. Go to Management > Stack Management > Security > Users
2. Click on the user experiencing the error
3. Note the roles listed in the Roles section
Alternatively, use the Elasticsearch API:
GET /_security/user/{username}Add the cluster:admin/settings/update privilege to the user's role. In Kibana:
1. Go to Management > Stack Management > Security > Roles
2. Click on the role assigned to the user
3. Under Cluster privileges, add cluster:admin/settings/update
4. Save the role
Or use the Elasticsearch API to create or update a role:
POST /_security/role/custom_admin_role
{
"cluster": ["cluster:admin/settings/update", "cluster:monitor"],
"indices": [
{
"names": ["*"],
"privileges": ["manage", "read", "write"]
}
]
}If this error occurred while enabling monitoring, ensure the user has both cluster:admin/settings/update and the ability to manage monitoring. Create a monitoring role with:
POST /_security/role/monitoring_admin
{
"cluster": [
"cluster:admin/settings/update",
"cluster:monitor",
"cluster:manage/logstash/pipeline/get"
],
"indices": [
{
"names": [".monitoring-*"],
"privileges": ["manage", "read", "write"]
}
]
}If the error occurs during ILM policy rollover or updates, the user needs both cluster and index-level permissions:
POST /_security/role/ilm_admin
{
"cluster": ["manage_ilm", "cluster:admin/settings/update"],
"indices": [
{
"names": ["*"],
"privileges": ["manage", "manage_ilm"]
}
]
}After updating the role, verify that the user can now perform the operation. Test by:
1. Logging out and back in as the affected user
2. Attempting the operation that previously failed
3. Checking Kibana > Stack Management > Monitoring to confirm monitoring is now enabled (if applicable)
4. Running a cluster settings API call:
GET /_cluster/settings
PUT /_cluster/settings
{
"transient": {
"xpack.monitoring.collection.enabled": true
}
}System indices (like .kibana, .apm, .monitoring-*) have special restrictions even for users with broad cluster privileges. To modify system index settings, the role must include both the cluster:admin/settings/update privilege and explicit index-level manage permissions on those system indices. Some versions of Elasticsearch require the modify_system_indices cluster privilege in addition to standard admin privileges. When using custom plugins that need to update cluster settings, ensure the service account or user running the plugin has sufficient cluster privileges. For highly restrictive security setups, use attribute-based access control (ABAC) to grant permissions based on specific attributes rather than blanket role assignment.
IllegalStateException: There are no ingest nodes in this cluster, unable to forward request to an ingest node
How to fix "There are no ingest nodes in this cluster" in Elasticsearch
ConnectException: Connection refused
How to fix "ConnectException: Connection refused" in Elasticsearch
NodeDisconnectedException: [node] disconnected
How to fix "NodeDisconnectedException: [node] disconnected" in Elasticsearch
SnapshotException: [repository:snapshot] Snapshot could not be read
How to fix "SnapshotException: [repository:snapshot] Snapshot could not be read" in Elasticsearch
QueryShardException: No mapping found for [field] in order to sort on
How to fix "QueryShardException: No mapping found for field in order to sort on" in Elasticsearch