I have an environment with several spaces to separate access to different indices, e.g. space a has only access to indices "filebeat-a-*", space b to "filebeat-b-*".
In Security I've activated some of the provided rules in space a with a user, who has only access to the "filebeat-a-*" indices.
The rules then throw a warning: "Missing required read privileges on the following indices: ["filebeat-*"]".
My question: Are the rules executing against the "filebeat-a-*" indices despite this warning or do the rules not execute at all and I must clone any rule I want to use and change the setting in the new rule to "filebeat-a-*"?
I believe the warning is indicating that the rule will not being executing because it is attempting to read on the index pattern filebeat-* and does not have permissions to do so.
Yeah unfortunately I think you'll need to clone the rules you'd like to run and modify them such that they use the index pattern filebeat-a-*.
does this mean, that also the setting in the space, which Elasticsearch indices will be used for the Security solution, is ignored, and it must be filebeat-* anyway?
Then the only possible solution to avoid clones and achieving the same result is to have a setting in a role, that allows access to filebeat-* in general but uses a "Grant read privileges to specific documents" filter, that only allows access to the documents in filebeat-a-*, right?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.