On my Elasticsearch 7.x cluster, the beats_system
role has the index privileges create_index
and create
.
According to Security privileges | Elasticsearch Guide [7.17] | Elastic, roles with the the index create
privilege may:
index documents, allowing overwriting any existing document, but not permitting updating one.
According to that same document, the index create_doc
privilege does NOT allow for overwriting:
Privilege to index new documents, without allowing overwriting or updating existing ones.
According to Grant privileges and roles needed for monitoring | Filebeat Reference [7.17] | Elastic, a user-made role (as an alternative to using the built-in beats_system
role) should have the index create_index
and create_doc
privileges.
Questions:
- Why does the built-in
beats_system
role have the indexcreate
privilege instead of the indexcreate_doc
privilege? - How could I replace the index
create
privilege with the indexcreate_doc
privilege for thebeats_system
role? I am unable to update it because it's built in.