Custom Logstash user role

rokkolesa · February 2, 2024, 12:33pm

Hi,

I'm trying to deploy multiple Logstash instances to two separate k8s namespaces and they both connect to the same Elasticsearch cluster. The problem is that they both write to different ES indices but use the same user role eck_logstash_user_role.

It seems that the role is now hard-coded and cannot be changed? I know I can modify the eck_logstash_user_role to include both indices (either by exact name or by pattern), but then both Logstash instances would be able to write to both indices.

Example:
ES cluster: my-es
Logstash1: writes to sandbox-1
Logstash2: writes to sandbox-2

I configure my ES to add

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: my-es
spec:
  ...
  auth:
    roles:
      - secretName: logstash-user-role-secret
  ...
---
kind: Secret
apiVersion: v1
metadata:
  name: logstash-user-role-secret
stringData:
  roles.yml: |-
    eck_logstash_user_role:
      cluster: [ "monitor", "manage_ilm", "read_ilm", "manage_logstash_pipelines", "manage_index_templates", "cluster:admin/ingest/pipeline/get" ]
      indices:
        - names: [ "sandbox-*", "logstash", "logstash-*", "ecs-logstash", "ecs-logstash-*", "logs-*", "metrics-*", "synthetics-*", "traces-*" ]
          privileges: [ "manage", "write", "create_index", "read", "view_index_metadata" ]

This configuraton enables Logstash2 to write to sandbox-2 but it also enables it to write to sandbox-1 and I would like to prevent that from happening.
Bottom line, Logstash1 should only be able to write to sandbox-1 and Logstash2 should only be able to write to sandbox-2.

It seems that Logstash will always use the eck_logstash_user_role no matter what.

Am I missing something or is this feature missing?

Best regards,
Rok

yago82 · February 2, 2024, 5:10pm

Hi,

you can create separate roles for each Logstash instance and assign them to separate users. This way, each Logstash instance will have its own user and role, and you can control the indices they can write to.

Regards

rokkolesa · February 3, 2024, 1:08am

Hi,

I get that, but is there a way in the Logstash CRD to define which role the logstash instance should use? Or in the Elasticsearch CRD?

Otherwise I guess the only way would be to patch the <logstash-namespace-and-name>-<elastic-namespace-name>-logstash-user secret after it is created by the operator by changing the user role.. or I guess create the secret manually (but then I would have to know the exact name of the secret in advance AND I have to know how to hash the password).

Regards,
Rok

rokkolesa · February 3, 2024, 10:48pm

Hmm it seems I cannot patch the secret as it is managed by the operator. Every time I try to change the content of the secret, the operator immediately changes it back. So the user role of the logstash user cannot be changed manually.

I believe this is a missing feature in the operator and Logstash CRD

Regards,
Rok

system · March 2, 2024, 10:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.