logstash - Elasticsearch put role API

Question

I started using the create role API and it works as expected : https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html

I got the list of default roles in elasticsearch, /_security/role but I don't know to create the following roles and not able to find the proper docs for it.

I want to segregate the user based on the following needs,

1. Role which has the privilege to perform only READ / WRITE in all the indices in Elastic Search (This role should not have privilege to CREATE / DELETE indices
2. Role which has the privilege to perform only operations on Kibana
3. Role which has the privilege to perform only operations on Logstash

Answer 1

I want to segregate the user based on the following needs,

• Role which has the privilege to perform only operations on Kibana
• Role which has the privilege to perform only operations on Logstash

when Creating / Updating a role, you can find all valid privileges in security privilege of elasticsearch 7.x documentation then add / delete some of them into the role you update.

The role setup below should cover typical use cases of Kibana and Logstash :

• For Logstash user
  • add manage_index_templates to cluster privilege list
  • add create_index and index to indice privilege list, for each index pattern
  • you may need create or create_doc in the indice privilege list, in case that you generate _id field of a document externally (instead of auto-generated ID by elasticsearch)
  • assign the new role you created to whatever users you like

# Quick example, with POST request /_security/role/my_logstash_role

{
  "cluster": ["manage_index_templates"],
  "indices": [
    {
      "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ],
      "privileges": ["create_index", "index"],
    }
  ],
  "applications": [
    {
      "application": "YOUR_APP_NAME",
      "privileges": [ "YOUR_APP_PRIV" ],
    }
  ],
}

• For Kibana user
  • add read to indice privilege list, for each index pattern
  • assign the new role you created, and built-in role kibana_system to whatever users you like, note kibana_system includes (1) a cluster privilege named monitor and (2) access permissions to some index patterns e.g. .kibana*, .reporting-*, .monitoring-* , which are required by Kibana.
  • if you also use DevTool console of Kibana to interact with elasticsearch REST API, you may need to add few more privileges like write,delete,manage ...etc to the role, which highly depends on the API endpoints you attempt to call.

# Quick example, with POST request /_security/role/my_kibana_role

{
  "cluster": [],
  "indices": [
    {
      "names": [ "logstash-*", "YOUR_INDEX_PATTERN_2" ],
      "privileges": ["read"],
    }
  ],
  "applications": [
    {
      "application": "YOUR_APP_NAME",
      "privileges": [ "YOUR_CUSTOM_APP_PRIV" ],
    }
  ],
}