Logstash user permissions

ksobon · May 5, 2022, 3:06pm

I have configured a "logstash" user with the following set of permissions:

"{
	"indices": [{
			"names": ["*beat*"],
			"privileges": ["create", "create_index", "view_index_metadata"]
		}
	]
}"

That however results in permission exceptions getting thrown when Logstash is first started. They are related to setting up of templates. I have looked into which permissions would clear these exceptions up, and concluded that adding cluster permissions to manage_index_templates and monitor clears that up.

My question is the following. Are manage_index_templates and monitor permissions ok to be added to logstash user, or is that some kind of a security issue? What would be an alternative way to address these template exceptions? Thoughts?

My proposed new set of permissions:

"{"cluster":["manage_index_templates","monitor"],"indices":[{"names":["*beat*"],"privileges":["create","create_index","view_index_metadata"]}]}";

Badger · May 5, 2022, 4:01pm

The documentation shows which permissions are needed, although it decomposes them into three roles which are then assigned to users.

ksobon · May 5, 2022, 4:14pm

Any comments on this? I just want to make sure that I am not exposing my Elastic Cloud cluster to potential security vulnerability by adding cluster permissions to logstash user. Would that be a concern for you? Am I overreacting here?

Badger · May 5, 2022, 4:32pm

I am hoping someone from elastic will comment on this.

ksobon · May 5, 2022, 5:14pm

Do you know anyone from Elastic that roams these forums that we can cc here? I am just looking for quick thumbs up or down on this question. Like you mentioned, their documentation for the logstash_writer user actually has a few more permissions, so I don't know if I am not inventing an issue here for no reason. Thanks!

stephenb · May 5, 2022, 5:25pm

From the docs...

POST _security/role/logstash_writer
{
  "cluster": ["manage_index_templates", "monitor", "manage_ilm"], 
  "indices": [
    {
      "names": [ "logstash-*", "*beats*" ], 
      "privileges": ["write","create","create_index","manage","manage_ilm"]  
    }
  ]
}

POST _security/user/logstash_internal
{
  "password" : "x-pack-test-password",
  "roles" : [ "logstash_writer"],
  "full_name" : "Internal Logstash User"
}

This is our best practice... you can take the other roles out but if anyone sets manage_template or tries to monitor logstash (which is also a best practice) it will fail... It is up to you.

The assumption is that you are properly managing the user credential that are assigned to that user and thus access to that role through use of the encrypted keystore etc.

system · June 2, 2022, 5:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch output manage_template permissions Logstash	1	597	February 14, 2017
Logstash writer permissions Logstash	1	595	February 24, 2021
Need help with resolving - security_exception - no permissions for [indices:admin/create] and User [name=logstash Logstash elastic-stack-security	1	2031	August 10, 2020
Elasticsearch cluster security permission for logstash Logstash elastic-stack-security	1	748	August 19, 2022
Logstash and auto-index creation with ECK Elastic Cloud on Kubernetes (ECK) elastic-stack-security	1	476	May 29, 2024

Logstash user permissions

Related topics