Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
414 views
in Technique[技术] by (71.8m points)

logstash - Elasticsearch put role API

I started using the create role API and it works as expected : https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html

I got the list of default roles in elasticsearch, /_security/role but I don't know to create the following roles and not able to find the proper docs for it.

I want to segregate the user based on the following needs,

  1. Role which has the privilege to perform only READ / WRITE in all the indices in Elastic Search (This role should not have privilege to CREATE / DELETE indices
  2. Role which has the privilege to perform only operations on Kibana
  3. Role which has the privilege to perform only operations on Logstash
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I want to segregate the user based on the following needs,

  • Role which has the privilege to perform only operations on Kibana
  • Role which has the privilege to perform only operations on Logstash

when Creating / Updating a role, you can find all valid privileges in security privilege of elasticsearch 7.x documentation then add / delete some of them into the role you update.

The role setup below should cover typical use cases of Kibana and Logstash :

  • For Logstash user
    • add manage_index_templates to cluster privilege list
    • add create_index and index to indice privilege list, for each index pattern
    • you may need create or create_doc in the indice privilege list, in case that you generate _id field of a document externally (instead of auto-generated ID by elasticsearch)
    • assign the new role you created to whatever users you like
# Quick example, with POST request /_security/role/my_logstash_role

{
  "cluster": ["manage_index_templates"],
  "indices": [
    {
      "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ],
      "privileges": ["create_index", "index"],
    }
  ],
  "applications": [
    {
      "application": "YOUR_APP_NAME",
      "privileges": [ "YOUR_APP_PRIV" ],
    }
  ],
}
  • For Kibana user
    • add read to indice privilege list, for each index pattern
    • assign the new role you created, and built-in role kibana_system to whatever users you like, note kibana_system includes (1) a cluster privilege named monitor and (2) access permissions to some index patterns e.g. .kibana*, .reporting-*, .monitoring-* , which are required by Kibana.
    • if you also use DevTool console of Kibana to interact with elasticsearch REST API, you may need to add few more privileges like write,delete,manage ...etc to the role, which highly depends on the API endpoints you attempt to call.
# Quick example, with POST request /_security/role/my_kibana_role

{
  "cluster": [],
  "indices": [
    {
      "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ],
      "privileges": ["read"],
    }
  ],
  "applications": [
    {
      "application": "YOUR_APP_NAME",
      "privileges": [ "YOUR_CUSTOM_APP_PRIV" ],
    }
  ],
}

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...