ElasticSearch permissions: getting host id before installation is complete

Started by ingvarr, July 01, 2021, 11:12:37 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 01, 2021, 11:12:37 AM
Hi,

I'd like to use ES database for other things in addition to Sensei. Which means that everyone shall only have access to own indices. Unfortunately, it is not possible to set proper permissions for Sensei user without knowing the host id (node-uuid is not set in the beginning). Is there a way to retrieve or set to a fixed value somehow?

Th.
July 01, 2021, 03:54:59 PM #1
Hi,

To add host uuid to the indices name is a premium feature. Are you a licensed user?
July 02, 2021, 01:19:19 AM #2
No, I am not a premium user. I want to try it first. But I am hesitant to let ELK run on the appliance.

However, it is not at all obvious how to set up appropriate permissions for Sensei. The manual https://www.sunnyvalley.io/post/using-remote-elasticsearch-for-sensei-reporting/) is vague: it does say that HOTUUID information is available for premium, but before that it also lists the names of the indices.

Whatever is correct, is not that important. I would like to evaluate Sensei, but the documentation seems to assume that the user will give very high privileges in ElasticSearch, which is just a bad idea.
Unfortunately, I am not that familiar with Elastic (trying to avoid the beast usually) — so it is a bit challenging.

Any hint on the right path here will be greatly appreciated.
July 02, 2021, 02:13:44 AM #3
Missed it initially:
QuoteFree and Home tiers will have indexes with [indextype]_[date] format
Well, that is very unfortunate. Would be much, much more convenient to be able to set a common prefix. Same applies to paid subscription. Otherwise it is implied that I either run a separate moose for Sensei, or trust it utterly...
July 02, 2021, 02:09:04 PM #4
Apparently, index rights were insufficient. It wanted to know something about the cluster.
This is what allowed me to move to the point of creating indices:
Quoteroles.yml: |-
    stupid_sensei:
      cluster: [ "monitor" ]
      indices:
        - names:
            - "/(conn|http|tls|alert|dns|sip)_[23][0-9][01][0-9][0-9][0-9]/"
          privileges: [ "all" ]

Would be good to know what can vast "monitor" be reduced to.
July 02, 2021, 02:26:58 PM #5
Apologies again, it is not happening by the manual: it wants permissions for "conn_all", not "conn_<date>" as described.
Print
Go Up Pages1
User actions