If the system policies provided by Alibaba Cloud Elasticsearch do not meet your requirements, you can create custom policies. Custom policies enable finer-grained permission management than system policies. This topic describes how to create a custom policy and provides policy examples.
Prerequisites
Background information
- AliyunElasticsearchReadOnlyAccess: the read-only permissions on Elasticsearch or Logstash clusters. This policy can be attached to read-only users.
- AliyunElasticsearchFullAccess: the management permissions on Elasticsearch or Logstash clusters. This policy can be attached to administrators.
Note
- You can use the preceding policies to grant the permissions only on Elasticsearch or Logstash clusters to RAM users. The policies do not contain permissions on Cloud Monitor and tags. If you want to grant the permissions on Cloud Monitor or tags, you must create the related custom policies and attach the policies to the RAM users. For more information about how to grant the permissions on Cloud Monitor or tags, see Policy for an administrator.
- You can use policies to grant permissions only on all the resources that belong to an Alibaba Cloud account. You cannot use the policies to grant permissions on a specific resource group.
Procedure
Policy examples
- Policy for an administrator
In this example, all operation permissions on all Elasticsearch clusters are granted to a RAM user of the Alibaba Cloud account whose ID is indicated by <UID>.
{ "Statement": [ { "Action": [ "elasticsearch:*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "elasticsearch:ListInstance", "elasticsearch:ListSnapshotReposByInstanceId" ], "Effect": "Allow", "Resource": "acs:elasticsearch:cn-hangzhou:<UID>:instances/*" }, { "Action": [ "elasticsearch:ListCollectors" ], "Effect": "Allow", "Resource": [ "acs:elasticsearch:*:*:collectors/*" ] }, { "Action": [ "cms:ListProductOfActiveAlert", "cms:ListAlarm", "cms:QueryMetricList" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "elasticsearch:ListTags" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:*:tags/*" }, { "Action": [ "elasticsearch:ListLogstash" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<UID>:logstashes/*" }, { "Effect": "Allow", "Action": [ "elasticsearch:DescribeVpcs", "elasticsearch:DescribeVswitches" ], "Resource": [ "acs:elasticsearch:*:<UID>:vswitch/*", "acs:elasticsearch:*:<UID>:vpc/*" ] }, { "Action": "bss:PayOrder", "Effect": "Allow", "Resource": "*" } ], "Version": "1" }
- Policy for cluster-specific operation permissions
In this example, the following permissions are granted to a RAM user of the Alibaba Cloud account whose ID is indicated by <UID>:
- Permissions on Cloud Monitor
- Permission to perform all Elasticsearch-related operations on a specific cluster. The operations do not include security-related operations, such as cluster deletion and whitelist configuration for access over the Internet or an internal network.
- Permission to view clusters.
- Permission to view all the tags that are added to clusters.
- Permission to view shippers.
{ "Statement": [ { "Action": [ "elasticsearch:*" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<UID>:instances/<instanceId>" }, { "Action": [ "cms:ListProductOfActiveAlert", "cms:ListAlarm", "cms:QueryMetricList" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "elasticsearch:DeleteInstance", "elasticsearch:UpdatePublicNetwork", "elasticsearch:UpdateWhiteIps", "elasticsearch:ModifyWhiteIps", "elasticsearch:TriggerNetwork" ], "Effect": "Deny", "Resource": "acs:elasticsearch:*:<UID>:instances/*" }, { "Action": [ "elasticsearch:ListTags" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<UID>:tags/*" }, { "Action": [ "elasticsearch:ListInstance", "elasticsearch:ListSnapshotReposByInstanceId" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<UID>:instances/*" }, { "Action": [ "elasticsearch:ListCollectors" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<UID>:collectors/*" }, { "Action": [ "elasticsearch:ListLogstash" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<UID>:logstashes/*" }, { "Action": [ "elasticsearch:GetEmonProjectList" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:*:emonProjects/*" }, { "Action": [ "elasticsearch:getEmonUserConfig" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:*:emonUserConfig/*" } ], "Version": "1" }
Action | Description |
---|---|
|
The permissions on Cloud Monitor.
|
|
The permission to pay for orders. After the RAM user is granted the permission, the RAM user can pay for purchase orders of resources. |
|
The permissions to access the VPCs and vSwitches that belong to the Alibaba Cloud
account. After the RAM user is granted the permissions, the RAM user can select the
VPC and vSwitch that belong to the Alibaba Cloud account when the user purchases resources.
Notice When you authorize a RAM user to purchase resources, you must also specify
["bss:PayOrder"] in the Action element. If you do not specify ["bss:PayOrder"], the system displays
a message that indicates insufficient permissions when you use the RAM user to purchase
resources.
|
|
All operation permissions on Elasticsearch clusters. After the RAM user is granted
the permissions, the RAM user can perform operations on all or specific clusters.
Notice The permissions specified by
elasticsearch:* do not include the permissions on advanced monitoring and alerting, Cloud Monitor,
and tags. You must separately specify the permissions on advanced monitoring and alerting,
Cloud Monitor, and tags. If you do not specify these permissions, the system displays
a message that indicates insufficient permissions after you use the RAM user to go
to a related page. However, the RAM user can use other authorized features on this
page.
|
|
The permission to query all the tags that are added to Elasticsearch clusters. After the RAM user is granted the permission, the RAM user can view all the tags that are added to Elasticsearch clusters. |
|
|
|
The permission to query Beats shippers. After the RAM user is granted the permission, the RAM user can view all created Beats shippers in the Elasticsearch console. |
|
The permission to query Logstash clusters. After the RAM user is granted the permission, the RAM user can view all the Logstash clusters in the related region on the Logstash Clusters page. |
|
Note In the preceding policy, the Effect element is set to Deny for these permissions. This indicates that the RAM user is not allowed to perform
the related operations.
|
|
The permission to query the monitoring items of a cluster.
Notice If the RAM user is granted the permission, the
["elasticsearch:getEmonUserConfig"] permission must also be granted. If ["elasticsearch:getEmonUserConfig"] is not granted,
the system displays a message that indicates insufficient permissions when you use
the RAM user to go to the cluster monitoring page.
|
|
The permission to query the user configurations for cluster monitoring. |
Effect | Description |
---|---|
Allow | Indicates that the RAM user is allowed to perform the operations that are specified in the Action element. |
Deny | Indicates that the RAM user is not allowed to perform the operations that are specified in the Action element. |
Note
- <UID>: Set the value to the ID of your Alibaba Cloud account. To obtain the ID, move the pointer over the profile picture in the upper-right corner of the Elasticsearch console and click Security Settings. The value of Account ID on the Security Settings page is the ID of your Alibaba Cloud account.
- <instanceId>: Set the value to the ID of the cluster whose permissions you want to grant. For more information about how to obtain the ID, see View the basic information of a cluster.
- In the Resource element, an asterisk (
*
) indicates all clusters, and <instanceId> indicates a specific cluster. For more information, see Types of resources that can be authorized.