What permissions are required for ILM?

Elastic Stack Elasticsearch
1

I am migrating my indices to be managed by ILM. For this, I need to modify my Logstash pipeline outputs. Here's what I'm using now:

output {
  elasticsearch {
    hosts => ["192.168.10.80:9200","192.168.10.81:9200","192.168.10.82:9200"] 
    ilm_enabled => true
    ilm_rollover_alias => "ilm-network"
    ilm_policy => "my_policy"
    ilm_pattern => '{now/d}-000001'
    user => 'ilm_pipeline'
    password => '<password>'
    ssl => true
    cacert => '/etc/certs/elastic-stack-ca.crt.pem'
    }
}

I defined a template as:

PUT _template/network_ilm
{
  "order": 15,
  "index_patterns": ["network-*"],
  "settings": {
        "index.lifecycle.name": "my_policy",
        "index.routing.allocation.require.data": "hot"       
        "index.lifecycle.rollover_alias": "ilm-network"
  }
}

I created a bootstrap index via:

PUT network-2019.08.08-000001
{
  "aliases": {
    "ilm-network":{
      "is_write_index": true 
    }
  }  
}

I created the ilm_pipeline user with cluster privilege manage_ilm and on the index patterns network-* and ilm-* is added the index privileges read, write, manage, create, delete, manage_ilm, and create_index.

When I start logstash, I get all manner of errors in multiple pipelines, even ones not managed by ILM. If I switch this one pipeline to the built-in elastic user, everything works fine. What permissions do I need to add to the user specified in Logstash to make ILM work properly?

2

ILM actions are run as though they were performed by the last user to modify the policy. So whatever account you create/modify the policy from should have permissions to perform all operations that are part of the policy.

Just this shouldn't cause problems with pipelines that don't use ILM, though. Given that Logstash uses index templates, I suspect you also need manage_index_templates at least. It would be useful to see the errors you get, if you still have them or can easily re-create them.

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.