[doc] fix the necessary privileges of central pipeline management #16902
Conversation
|
📃 DOCS PREVIEW ✨ https://logstash_bk_16902.docs-preview.app.elstc.co/diff |
| @@ -249,8 +249,7 @@ POST /_security/api_key | |||
| "name": "logstash_host001", <1> | |||
| "role_descriptors": { | |||
| "logstash_monitoring": { <2> | |||
| "cluster": ["monitor"], | |||
| "index": ["read"] | |||
There was a problem hiding this comment.
it gives syntax error
| "indices": [ | ||
| { | ||
| "names": [ "logstash-*" ], | ||
| "privileges": ["read","view_index_metadata"] | ||
| } | ||
| ] |
There was a problem hiding this comment.
These few lines were unfortunately removed by me five years ago
There was a problem hiding this comment.
Nice, thanks for fixing this. Indeed names and privileges are required fields.
| } | ||
| --------------------------------------------------------------- | ||
|
|
||
| . Assign your Logstash users the `logstash_reader` role. If the Logstash user | ||
| will be using | ||
| {logstash-ref}/logstash-centralized-pipeline-management.html[centralized pipeline management], | ||
| also assign the `logstash_admin` role. You can create and manage users from the | ||
| also assign the `logstash_system` role. You can create and manage users from the |
There was a problem hiding this comment.
we need cluster privilege "monitor" to query /_xpack when using central pipeline management.
Elasticsearch has two built-in roles: logstash_admin, logstash_system
logstash_admin
{
"cluster": ["manage_logstash_pipelines"],
"indices": [
{
"names": [ ".logstash*" ],
"privileges": ["create","read","delete","index","manage"]
}
]
}
logstash_system
{
"cluster": ["monitor", "cluster:admin/xpack/monitoring/bulk"]
}
So, we need logstash_system here
| should have the built-in `logstash_admin` role and the customized `logstash_writer` role, which provides access to system | ||
| indices for managing configurations. Starting with Elasticsearch version 7.10.0, the | ||
| `logstash_admin` role inherits the `manage_logstash_pipelines` cluster privilege for centralized pipeline management. | ||
| should have the built-in `logstash_admin` role and `logstash_system` role, which provides access to system |
There was a problem hiding this comment.
The original doc recommend to create a new role logstash_writer for writing indices and for central pipeline management.
logstash_writer
{
"cluster": ["manage_index_templates", "monitor", "manage_ilm"],
"indices": [
{
"names": [ "logstash-*" ],
"privileges": ["write","create","create_index","manage","manage_ilm"]
}
]
}
I think using logstash_system is more align to other examples and user has less step to follow.
| should have the built-in `logstash_admin` role and `logstash_system` role, which provides access to system | ||
| indices for managing configurations. | ||
|
|
||
| NOTE: Starting with Elasticsearch version 7.10.0, the `logstash_admin` role inherits the `manage_logstash_pipelines` cluster privilege for centralized pipeline management. |
There was a problem hiding this comment.
In Logstash 9, we can consider to remove this note about upgrading from 7.x
There was a problem hiding this comment.
Can we create an issue and follow up once we land this change? Thank you!
| @@ -143,8 +144,8 @@ If you're using {es} in {ecloud}, you can set your auth credentials here. | |||
| This setting is an alternative to both `xpack.management.elasticsearch.username` | |||
| and `xpack.management.elasticsearch.password`. If `cloud_auth` is configured, | |||
| those settings should not be used. | |||
| The credentials you specify here should be for a user with the `logstash_admin` role, which | |||
| provides access to system indices for managing configurations. | |||
| The credentials you specify here should be for a user with the `logstash_admin` and `logstash_system` roles, which | |||
There was a problem hiding this comment.
xpack feature need to call /_xpack, so logstash_system is a must
| @@ -1,6 +1,6 @@ | |||
| [discrete] | |||
| [[ls-user-access]] | |||
| === Granting access to the Logstash indices | |||
| === Granting access to the indices Logstash creates | |||
There was a problem hiding this comment.
Ohhhhh, I LIKE this. Nice clarification.
docs/static/settings/configuration-management-settings.asciidoc
Outdated
Show resolved
Hide resolved
| "indices": [ | ||
| { | ||
| "names": [ "logstash-*" ], | ||
| "privileges": ["read","view_index_metadata"] | ||
| } | ||
| ] |
There was a problem hiding this comment.
Nice, thanks for fixing this. Indeed names and privileges are required fields.
docs/static/settings/configuration-management-settings.asciidoc
Outdated
Show resolved
Hide resolved
| should have the built-in `logstash_admin` role and `logstash_system` role, which provides access to system | ||
| indices for managing configurations. | ||
|
|
||
| NOTE: Starting with Elasticsearch version 7.10.0, the `logstash_admin` role inherits the `manage_logstash_pipelines` cluster privilege for centralized pipeline management. |
There was a problem hiding this comment.
Can we create an issue and follow up once we land this change? Thank you!
Co-authored-by: Karen Metts <[email protected]>
docs/static/settings/configuration-management-settings.asciidoc
Outdated
Show resolved
Hide resolved
|
📃 DOCS PREVIEW ✨ https://logstash_bk_16902.docs-preview.app.elstc.co/diff |
|
@logstashmachine backport 8.x |
…6902) CPM requires two roles logstash_admin and logstash_system Co-authored-by: Karen Metts <[email protected]> (cherry picked from commit dc740b4)
|
@logstashmachine backport 8.17 |
|
@logstashmachine backport 7.17 |
…6902) CPM requires two roles logstash_admin and logstash_system Co-authored-by: Karen Metts <[email protected]> (cherry picked from commit dc740b4)
…6902) (#16930) CPM requires two roles logstash_admin and logstash_system Co-authored-by: Karen Metts <[email protected]> (cherry picked from commit dc740b4) Co-authored-by: kaisecheng <[email protected]>
…6902) (#16928) CPM requires two roles logstash_admin and logstash_system Co-authored-by: Karen Metts <[email protected]> (cherry picked from commit dc740b4) Co-authored-by: kaisecheng <[email protected]>
[doc] fix the necessary privileges of central pipeline management
This commit updated the instructions of using central pipeline management with the necessary privileges
fixes: #16905
relates: https://github.com/elastic/ingest-dev/issues/4812