OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: ingvarr on July 01, 2021, 11:12:37 am

Title: ElasticSearch permissions: getting host id before installation is complete
Post by: ingvarr on July 01, 2021, 11:12:37 am

Hi,

I'd like to use ES database for other things in addition to Sensei. Which means that everyone shall only have access to own indices. Unfortunately, it is not possible to set proper permissions for Sensei user without knowing the host id (node-uuid is not set in the beginning). Is there a way to retrieve or set to a fixed value somehow?

Th.

Title: Re: ElasticSearch permissions: getting host id before installation is complete
Post by: sy on July 01, 2021, 03:54:59 pm

Hi,

To add host uuid to the indices name is a premium feature. Are you a licensed user?

Title: Re: ElasticSearch permissions: getting host id before installation is complete
Post by: ingvarr on July 02, 2021, 01:19:19 am

No, I am not a premium user. I want to try it first. But I am hesitant to let ELK run on the appliance.

However, it is not at all obvious how to set up appropriate permissions for Sensei. The manual https://www.sunnyvalley.io/post/using-remote-elasticsearch-for-sensei-reporting/ (https://www.sunnyvalley.io/post/using-remote-elasticsearch-for-sensei-reporting/)) is vague: it does say that HOTUUID information is available for premium, but before that it also lists the names of the indices.

Whatever is correct, is not that important. I would like to evaluate Sensei, but the documentation seems to assume that the user will give very high privileges in ElasticSearch, which is just a bad idea.
Unfortunately, I am not that familiar with Elastic (trying to avoid the beast usually) — so it is a bit challenging.

Any hint on the right path here will be greatly appreciated.

Title: Re: ElasticSearch permissions: getting host id before installation is complete
Post by: ingvarr on July 02, 2021, 02:13:44 am

Missed it initially:

Quote

Free and Home tiers will have indexes with [indextype]_[date] format

Well, that is very unfortunate. Would be much, much more convenient to be able to set a common prefix. Same applies to paid subscription. Otherwise it is implied that I either run a separate moose for Sensei, or trust it utterly...

Title: Re: ElasticSearch permissions: getting host id before installation is complete
Post by: ingvarr on July 02, 2021, 02:09:04 pm

Apparently, index rights were insufficient. It wanted to know something about the cluster.
This is what allowed me to move to the point of creating indices:

Quote

  roles.yml: |-
    stupid_sensei:
      cluster: [ "monitor" ]
      indices:
        - names:
            - "/(conn|http|tls|alert|dns|sip)_[23][0-9][01][0-9][0-9][0-9]/"
          privileges: [ "all" ]

Would be good to know what can vast "monitor" be reduced to.

Title: Re: ElasticSearch permissions: getting host id before installation is complete
Post by: ingvarr on July 02, 2021, 02:26:58 pm

Apologies again, it is not happening by the manual: it wants permissions for "conn_all", not "conn_<date>" as described.