ElasticSearch permissions: getting host id before installation is complete

[ingvarr]

Hi,

I'd like to use ES database for other things in addition to Sensei. Which means that everyone shall only have access to own indices. Unfortunately, it is not possible to set proper permissions for Sensei user without knowing the host id (node-uuid is not set in the beginning). Is there a way to retrieve or set to a fixed value somehow?

Th.

[sy]

Hi,

To add host uuid to the indices name is a premium feature. Are you a licensed user?

[ingvarr]

No, I am not a premium user. I want to try it first. But I am hesitant to let ELK run on the appliance.

However, it is not at all obvious how to set up appropriate permissions for Sensei. The manual https://www.sunnyvalley.io/post/using-remote-elasticsearch-for-sensei-reporting/) is vague: it does say that HOTUUID information is available for premium, but before that it also lists the names of the indices.

Whatever is correct, is not that important. I would like to evaluate Sensei, but the documentation seems to assume that the user will give very high privileges in ElasticSearch, which is just a bad idea.
Unfortunately, I am not that familiar with Elastic (trying to avoid the beast usually) — so it is a bit challenging.

Any hint on the right path here will be greatly appreciated.

[ingvarr]

Missed it initially:

Free and Home tiers will have indexes with [indextype]_[date] format

Well, that is very unfortunate. Would be much, much more convenient to be able to set a common prefix. Same applies to paid subscription. Otherwise it is implied that I either run a separate moose for Sensei, or trust it utterly...

[ingvarr]

Apparently, index rights were insufficient. It wanted to know something about the cluster.
This is what allowed me to move to the point of creating indices:

  roles.yml: |-
    stupid_sensei:
      cluster: [ "monitor" ]
      indices:
        - names:
            - "/(conn|http|tls|alert|dns|sip)_[23][0-9][01][0-9][0-9][0-9]/"
          privileges: [ "all" ]

Would be good to know what can vast "monitor" be reduced to.

[ingvarr]

Apologies again, it is not happening by the manual: it wants permissions for "conn_all", not "conn_<date>" as described.