I have a working curator delete script that works when I run it from my very privileged admin account. I am trying to get it to work with a curator role and I want to limit the actions to exactly what is required.
this is how the role is defined
curator:
cluster: montior
indices:
'.-shield_audit_log-*':
-indices:admin/delete, indices:admin/exists, indices:admin/get
When I run the curator script as the curator account I get a message saying no indices found. I am looking to remove indices that are more than 7 days old. Again when I run the curator account in my full admin role, it does find and remove the indices.
Sorry, that was a typo when I was entering the post. I do not have the
.-shield but rather .shield. Like I said, when I use my credentials it
works, but not with the credentials I have set up for the curator roles.
I believe curator gets the list of indices through the get settings API.
A side note, one way to determine the necessary privileges would be to look at the access_granted entries in the audit log from your administrative user when curator is interacting with Shield.
These are the methods that are called. I don't really understand why the list option did not work. Also, when using the list format,. I did not get entries in the security log, once I switched to the single line option as shown above I could see the entries in the log.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.