'cluster:admin/xpack/monitoring/bulk' privilege for beats_system

NominaSumpta · October 4, 2022, 9:03am

On my Elasticsearch 7.x cluster, the beats_system role has the cluster privileges monitor and cluster:admin/xpack/monitoring/bulk.

The cluster:admin/xpack/monitoring/bulk privilege is not mentioned on Security privileges | Elasticsearch Guide [7.17] | Elastic. I did find the post Privileges for built-in roles, which says:

The bulk monitoring privilege is an action name.
It grants access to a specific internal action.

I looked for a list of 'actions' and 'internal actions' in the Elasticsearch documentation. It doesn't seem like there is a reference for them. I did not find any results in the REST APIs reference either.

Question: what is this 'internal action'?

FWIW: According to Grant privileges and roles needed for monitoring | Filebeat Reference [7.17] | Elastic, a user-made role (as an alternative to using the built-in beats_system role) does NOT need to have this cluster privilege.

matschaffer · October 13, 2022, 6:51am

I believe the internal action being referred to here is the /_monitoring/bulk Elasticsearch endpoint used to deliver monitoring data from Elasticsearch internal collection.

system · November 10, 2022, 6:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
'monitor' privilege for beats_system Elasticsearch elastic-stack-monitoring	2	248	November 10, 2022
Role settings for logging user (Beats) Beats	4	844	January 14, 2017
Beats Internal monitoring Elasticsearch elastic-stack-monitoring	2	427	December 11, 2020
Security_exception: action [indices:admin/rollover] is unauthorized for user [beats] Elasticsearch	2	1309	February 10, 2020
Beats_system role Beats elastic-stack-security , metricbeat	7	2995	December 1, 2020

'cluster:admin/xpack/monitoring/bulk' privilege for beats_system

Related topics