Remove DELETE /index/type endpoint

[dadoonet]

Heya,

As we did it for #4481, it could be safe not to allow anymore removing a type using:

DELETE /index/type

But only allow:

DELETE /index/type/_mapping
DELETE /index/_mapping/type

It could happen that a user which have previously posted a new document deletes all documents by forgetting to provide the _id.

POST /index/type
{
 "foo" : "bar"
}

# Just change the VERB and you wipe every documents! 
DELETE /index/type
{
 "foo" : "bar"
}

Thoughts?

[kimchy]

I am conflicted, if we remove this, and following the same logic, we should remove DELETE /_index_. On the other hand, can easily see how maybe someone can make a mistake here...

[dadoonet]

So may be we should introduce a new setting like action.destructive_requires_confirmation (default to false) and if set only allow operations like:

# Scenario 1: index level
PUT /{index}

# Will be rejected
DELETE /{index}

# will work
DELETE /{index}/_confirm

# Scenario 2: type level
POST /{index}/{type}
{ "foo" : "bar" }

# Will be rejected
DELETE /{index}/{type}

# Will work
DELETE /{index}/{type}/_confirm

So, we don't break anything with that change which is even better but we let OPS decide if we want to activate that feature or not.

May be there are some cleaner way to do this?
I mean like we do with existing on disk indices which are not in cluster state. We can DELETE an index only after some minutes by setting indices.delete.interval: 5m (default to 0 - means immediate removal).

In that case, the index should not be available anymore for search but we could fire a command like:

DELETE /{index}/_cancel

Any other ideas? Or should we close this "issue"?

[ghoumard]

We make this mistake, so we definitively love to see a circuit-breaker here.
I'm not sure about the indices.delete.interval: 5m , but the action.destructive_requires_confirmation settings looks a good start.

[clintongormley]

We talked about this today and feel that we should keep the existing API, and not try to provide too much protection as we will end up hurting existing users.

What we can do is to reject DELETE requests which come with a body, when a body is not expected.

[clintongormley]

Closed in favour of #8217