How to give manage_ilm permission to logstash user

Hi
I am trying to use index lifesycle management with default logstash user but we are getting error becuase logstash doesn’t have manage_ilm permisson. (Configuring Security in Logstash | Logstash Reference [6.7] | Elastic)
How can I add this permisson to Search Guard Role: sg_logstash?
I couldn’t find such permission in dropbox.

logstash config:

ilm_enabled => true
ilm_rollover_alias => “iis-iislog”
ilm_pattern => “000001”
ilm_policy => “general-policy”
template_name => “iis-iislog”
hosts => [“https://hostname1:9200”, “https://hostname2:9200"”]
user => “logstash”
password => “logstash”
ssl => true
cacert => “/etc/logstash/ssl/root-ca.pem”
ssl_certificate_verification => true

searchguard-info|690x277

Thanks!

We will add a new built-in role for ILM in the next release.

@cstaley Could you comment on the workaround until we have this released? Thx!

Please have a look here: https://github.com/floragunncom/search-guard/issues/694

Try

sg_logstash:  
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS
    - "indices:admin/template/*"
    - "indices:admin/ilm/*"
    - cluster:admin/ingest/pipeline/put
    - cluster:admin/ingest/pipeline/get
  indices:
    'logstash-*':
      '*':
        - CRUD
        - CREATE_INDEX
        - MANAGE
    '*beat*':
      '*':
        - CRUD
        - CREATE_INDEX
        - MANAGE

Hi,
Thanks for the suggestion.
I tried but got a failure message on logstash startup.

[2019-05-14T08:04:39,602][FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError: LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError>, :backtrace=>[“/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/manticore_adapter.rb:80:in perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:291:in perform_request_to_url’”, “/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:278:in block in perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:373:in with_connection’”, “/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:277:in perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:285:in block in Pool’”, “/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client.rb:341:in exists?'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client.rb:386:in ilm_policy_exists?'”, “/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/ilm.rb:33:in verify_ilm_readiness'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/common.rb:50:in block in setup_after_successful_connection’”]}

# For logstash and beats
sg_logstash:
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS
    - "indices:admin/template/*"
    - "indices:admin/ilm/*"
    - cluster:admin/ingest/pipeline/put
    - cluster:admin/ingest/pipeline/get
  indices:
    '*':
      '*':
        - CRUD
        - CREATE_INDEX
        - MANAGE

I tested this with ES/SG V7, but it should also work with V6. Not that if you use any index other than the regular logstash and beats indices, you need to grant the permissions also to these indices. I have inserted a '<your index pattern>' placeholder in the configs:

Logstash ILM role V7 config:

sg_logstash_ilm:
  cluster_permissions:
    - SGS_CLUSTER_MONITOR
    - SGS_CLUSTER_COMPOSITE_OPS
    - 'indices:admin/template/*'
    - 'cluster:admin/ingest/pipeline/put'
    - 'cluster:admin/ingest/pipeline/'
    - 'cluster:admin/ilm/*'
  index_permissions:
    - index_patterns:
      - 'logstash-*'
      - '*beat*'
      - '<your index pattern>'
      allowed_actions:
        - SGS_CRUD
        - SGS_MANAGE
        - "indices:admin/ilm/*"

V6 style config:

sg_logstash_ilm:  
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS
    - "indices:admin/template/*"
    - "cluster:admin/ingest/pipeline/put"
    - "cluster:admin/ingest/pipeline/"
    - "cluster:admin/ilm/*"
  indices:
    'logstash-*':
      '*':
        - CRUD
        - MANAGE
        - "indices:admin/ilm/*"
    '*beat*':
      '*':
        - CRUD
        - MANAGE
        - "indices:admin/ilm/*"
    '<your index pattern>':
      '*':
        - CRUD
        - MANAGE
        - "indices:admin/ilm/*" 

So for example, if you use an index alias in your ILM logstash config like:

ilm_rollover_alias => "iis-iislog"

You need to add this index pattern to the role definition as well.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.