I use elasticsarch 7.16. I wanna any indexes not delete. Any user(included in superuser) can't delete any indexes. How do i do that.
Hi,
you cant stop superusers from deleting indices, there are workarounds
for regular users stack management->roles-> - there is delete privileges you can remove from spesific role
to disable delete api you can use nginx or smth like that to block it in CORS
Access-Control-Allow-Methods: OPTIONS, POST, GET, PUT
Access-Control-Allow-Headers: X-Requested-With, Content-Type,
Content-Length
And this one can help you stop bulk deleting
action.destructive_requires_name: true
I configured xpack and i use filebeat. When i set less role, filebeat can't start. That's way, i must add create_doc,create,delete,index,write role.
2022-01-17T17:00:09.972659+03:00 VTNOVWEBAPA01 auditbeat[29941]: 2022-01-17T17:00:09.971+0300#011WARN#011[Elasticsearch]#011elasticsearch/client.go:414#011Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2022, time.January, 17, 14, 0, 8, 966745353, time.UTC), Meta:null, Fields:{"agent":{"ephemeral_id":"80375794-75d2-4ed9-a853-bf81c2daa4da","hostname":"VTNOVWEBAPA01.i01.paytr.com","id":"99a84502-33db-4843-9105-fdb004b7f000","name":"VTNOVWEBAPA01.i01.paytr.com","type":"auditbeat","version":"7.16.2"},"client":{"bytes":76,"ip":"10.30.40.15","packets":1,"port":123},"destination":{"bytes":84,"ip":"10.30.14.2","packets":1,"port":123},"ecs":{"version":"1.12.0"},"event":{"action":"network_flow","category":["network","network_traffic"],"dataset":"socket","duration":630753,"end":"2022-01-17T13:59:38.924Z","kind":"event","module":"system","start":"2022-01-17T13:59:38.924Z","type":["info","connection"]},"flow":{"complete":false,"final":true},"group":{"id":"112","name":"ntp"},"host":{"architecture":"x86_64","containerized":false,"hostname":"VTNOVWEBAPA01.i01.paytr.com","id":"e34a4a94e7584673afc27251b60742a3","ip":["10.30.40.15","fe80::250:56ff:fea0:9e9b"],"mac":["00:50:56:a0:9e:9b"],"name":"VTNOVWEBAPA01.i01.paytr.com","os":{"codename":"buster","family":"debian","kernel":"4.19.0-16-amd64","name":"Debian GNU/Linux","platform":"debian","type":"linux","version":"10 (buster)"}},"network":{"bytes":160,"community_id":"1:c7ht7iRX+XCigpp/+9/80jiNH84=","direction":"egress","packets":2,"transport":"udp","type":"ipv4"},"process":{"args":["/usr/sbin/ntpd","-p","/var/run/ntpd.pid","-g","-u","106:112"],"created":"2021-10-22T22:39:15.800Z","executable":"/usr/sbin/ntpd","name":"ntpd","pid":612},"related":{"ip":["10.30.40.15","10.30.14.2"],"user":["ntp"]},"server":{"bytes":84,"ip":"10.30.14.2","packets":1,"port":123},"service":{"type":"system"},"source":{"bytes":76,"ip":"10.30.40.15","packets":1,"port":123},"system":{"audit":{"socket":{"egid":112,"euid":106,"gid":112,"kernel_sock_address":"0xffff9d167b328000","uid":106}}},"user":{"id":"106","name":"ntp"}}, Private:interface {}(nil), TimeSeries:true}, Flags:0x0, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=403): {"type":"security_exception","reason":"action [indices:data/write/bulk[s]] is unauthorized for user [collector_user] with roles [collector_writer,kibana_admin,beats_system] on indices [auditbeat-7.16.2], this action is granted by the index privileges [create_doc,create,delete,index,write,all]"}, dropping event!
And. I tried http.cors. When i set http.cors without DELETE method. Kibana cannot connect. Kibana wanna DELETE method. I tried every your suggestion.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.