How to give manage_ilm permission to logstash user

#1

Hi
I am trying to use index lifesycle management with default logstash user but we are getting error becuase logstash doesn’t have manage_ilm permisson. (https://www.elastic.co/guide/en/logstash/6.7/ls-security.html)
How can I add this permisson to Search Guard Role: sg_logstash?
I couldn’t find such permission in dropbox.

logstash config:

ilm_enabled => true
ilm_rollover_alias => “iis-iislog”
ilm_pattern => “000001”
ilm_policy => “general-policy”
template_name => “iis-iislog”
hosts => [“https://hostname1:9200”, “https://hostname2:9200"”]
user => “logstash”
password => “logstash”
ssl => true
cacert => “/etc/logstash/ssl/root-ca.pem”
ssl_certificate_verification => true

searchguard-info|690x277

Thanks!

#2

We will add a new built-in role for ILM in the next release.

@cstaley Could you comment on the workaround until we have this released? Thx!

unassigned cstaley #3
assigned cstaley #4
#5

Please have a look here: https://github.com/floragunncom/search-guard/issues/694

#6

Try

sg_logstash:  
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS
    - "indices:admin/template/*"
    - "indices:admin/ilm/*"
    - cluster:admin/ingest/pipeline/put
    - cluster:admin/ingest/pipeline/get
  indices:
    'logstash-*':
      '*':
        - CRUD
        - CREATE_INDEX
        - MANAGE
    '*beat*':
      '*':
        - CRUD
        - CREATE_INDEX
        - MANAGE
#7

Hi,
Thanks for the suggestion.
I tried but got a failure message on logstash startup.

[2019-05-14T08:04:39,602][FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError: LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/manticore_adapter.rb:80:in perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:291:inperform_request_to_url’", “/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:278:in block in perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:373:inwith_connection’”, “/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:277:in perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:285:inblock in Pool’”, “/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client.rb:341:in exists?'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client.rb:386:inilm_policy_exists?’”, “/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/ilm.rb:33:in verify_ilm_readiness'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/common.rb:50:inblock in setup_after_successful_connection’”]}

# For logstash and beats
sg_logstash:
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS
    - "indices:admin/template/*"
    - "indices:admin/ilm/*"
    - cluster:admin/ingest/pipeline/put
    - cluster:admin/ingest/pipeline/get
  indices:
    '*':
      '*':
        - CRUD
        - CREATE_INDEX
        - MANAGE