SGS_LOGSTASH push only?

sascha.herzinger · November 18, 2019, 2:46pm

Hello,

We were wondering whether it is possible to model a append only (no update/delete/read) role with SG for usage with beats?
By default the SGS_LOGSTASH role grants bulk access, which appears to imply access for all write operations.

The Elastic security model apparently allows for this:

The reason being that we have many VMs with beats, but not everyone with access to a single VM should get full access to the logs of all VMs by reading out the passwords in the /etc/*beat.yml file.

hsaly · November 18, 2019, 4:11pm

Guess this would be possible with immutable indices: Immutable indices | Security for Elasticsearch | Search Guard

sascha.herzinger · November 19, 2019, 7:25am

Thank you for your response hsaly, that looks very promising.
I’ve got a few questions, however:

Is it possible to use wildcards to configure this (e.g. *beat*)? Beats are constantly creating new indices, so are ILM policies (e.g. rollover)
Does this prevent ILMs from working, as they can close and delete indices?
Have you any experience using immutable indices in combination with beats? I’m not sure what API calls the beats require in order to work correctly.
Do I understand correctly, that I can no longer backup these indices as snapshot operations are forbidden?

hsaly · December 4, 2019, 11:28am

I’ve got a few questions, however:

Is it possible to use wildcards to configure this (e.g. beat)? Beats are constantly creating new indices, so are ILM policies (e.g. rollover)

Yes, you can use patterns or regex here

Does this prevent ILMs from working, as they can close and delete indices?

Yes that might happen because immutable indices are (yet) defined globally

Have you any experience using immutable indices in combination with beats? I’m not sure what API calls the beats require in order to work correctly.

From our experience this should work

Do I understand correctly, that I can no longer backup these indices as snapshot operations are forbidden?

Backup(=snapshot) should be working well but you can not restore under a name which matches any of the defined immutable indices/patterns

sascha.herzinger · December 4, 2019, 12:29pm

Hi hsaly,

I apoligise I haven’t updated the post this week.
We actually tried it and can confirm that it works, just as you describe.

We have now “push-only” beats.

Thank you for the support!

system · December 25, 2019, 12:36pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash not working with SG - no permissions for indices:data/write/bulk Search Guard	6	575	November 11, 2016
Unable to apply index-level security Feature Requests	9	1161	May 28, 2019
sg_roles.yml and matching indexes Search Guard	2	626	June 17, 2016
Help with roll mapping Search Guard	3	395	February 6, 2018
Kibanaserver user: No permissions for indices:admin/mappings/get* and indices:monitor/stats Search Guard	4	3748	April 27, 2021

SGS_LOGSTASH push only?

Related Topics