Logstash user permissions

I have configured a "logstash" user with the following set of permissions:

	"indices": [{
			"names": ["*beat*"],
			"privileges": ["create", "create_index", "view_index_metadata"]

That however results in permission exceptions getting thrown when Logstash is first started. They are related to setting up of templates. I have looked into which permissions would clear these exceptions up, and concluded that adding cluster permissions to manage_index_templates and monitor clears that up.

My question is the following. Are manage_index_templates and monitor permissions ok to be added to logstash user, or is that some kind of a security issue? What would be an alternative way to address these template exceptions? Thoughts?

My proposed new set of permissions:


The documentation shows which permissions are needed, although it decomposes them into three roles which are then assigned to users.

Any comments on this? I just want to make sure that I am not exposing my Elastic Cloud cluster to potential security vulnerability by adding cluster permissions to logstash user. Would that be a concern for you? Am I overreacting here?

I am hoping someone from elastic will comment on this.

Do you know anyone from Elastic that roams these forums that we can cc here? I am just looking for quick thumbs up or down on this question. Like you mentioned, their documentation for the logstash_writer user actually has a few more permissions, so I don't know if I am not inventing an issue here for no reason. Thanks!

From the docs...

POST _security/role/logstash_writer
  "cluster": ["manage_index_templates", "monitor", "manage_ilm"], 
  "indices": [
      "names": [ "logstash-*", "*beats*" ], 
      "privileges": ["write","create","create_index","manage","manage_ilm"]  
POST _security/user/logstash_internal
  "password" : "x-pack-test-password",
  "roles" : [ "logstash_writer"],
  "full_name" : "Internal Logstash User"

This is our best practice... you can take the other roles out but if anyone sets manage_template or tries to monitor logstash (which is also a best practice) it will fail... It is up to you.

The assumption is that you are properly managing the user credential that are assigned to that user and thus access to that role through use of the encrypted keystore etc.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.