'cluster:admin/xpack/monitoring/bulk' privilege for beats_system

On my Elasticsearch 7.x cluster, the beats_system role has the cluster privileges monitor and cluster:admin/xpack/monitoring/bulk.

The cluster:admin/xpack/monitoring/bulk privilege is not mentioned on Security privileges | Elasticsearch Guide [7.17] | Elastic. I did find the post Privileges for built-in roles, which says:

The bulk monitoring privilege is an action name.
It grants access to a specific internal action.

I looked for a list of 'actions' and 'internal actions' in the Elasticsearch documentation. It doesn't seem like there is a reference for them. I did not find any results in the REST APIs reference either.

Question: what is this 'internal action'?

FWIW: According to Grant privileges and roles needed for monitoring | Filebeat Reference [7.17] | Elastic, a user-made role (as an alternative to using the built-in beats_system role) does NOT need to have this cluster privilege.

I believe the internal action being referred to here is the /_monitoring/bulk Elasticsearch endpoint used to deliver monitoring data from Elasticsearch internal collection.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.