I'm using filebeat and i have created 3 datastreams .
PUT _data_stream/data_s1-2022.06.08
PUT _data_stream/data_s2-2022.06.08
PUT _data_stream/data_s3-2022.06.08
And created 3 alias for that datastreams:
POST _aliases
{
"actions": [
{
"add": {
"index": "data_s1-2022.06.08",
"alias": "data_s1",
"is_write_index": true
}
}
]
}
POST _aliases
{
"actions": [
{
"add": {
"index": "data_s2-2022.06.08",
"alias": "data_s2",
"is_write_index": true
}
}
]
}
POST _aliases
{
"actions": [
{
"add": {
"index": "data_s3-2022.06.08",
"alias": "data_s3",
"is_write_index": true
}
}
]
}
Then an API Key for give permissions:
POST /_security/api_key
{
"name": "filebeat_datastreams",
"role_descriptors": {
"filebeat_writer": {
"cluster": ["monitor", "manage_ingest_pipelines"],
"index": [
{
"names": ["data_s1", "data_s2", "data_s3"],
"privileges": ["create_doc", "auto_configure"]
}
]
}
}
}
After give the API Key to filebeat all works well for data_s1, and data_s3 but data_s2 complains.
action [indices:admin/mapping/auto_put] is unauthorized for API key id [ID] of user [elastic] on indices [.ds-data_s2-2022.06.08-2022.06.08-000001], this action is granted by the index privileges [auto_configure,manage,write,all]\"}
I can say that data_s2 is generated by the netflow filebeat module for version 8.1.0, the other datastreams works well.
- My use case requires the minimun privilege for the API key.
- I can't understand why the privilege is requested by the backing indice if the other datastreams works well.
- I need to resolve the indirection level using the alias on Elasticsearch for management reasons.