If the system policies provided by Alibaba Cloud Elasticsearch do not meet your requirements, you can create custom policies. Custom policies enable finer-grained permission management than system policies. This topic describes how to create a custom policy and provides policy examples.
Background information
System policy | Description |
---|---|
AliyunElasticsearchReadOnlyAccess | Grants the read-only permissions on Elasticsearch or Logstash clusters. This policy can be attached to read-only users. |
AliyunElasticsearchFullAccess | Grants the management permissions on Elasticsearch clusters, Logstash clusters, or Beats shippers. This policy can be attached to administrators. |
Prerequisites
You have understood the policy structure and syntax. For more information, see Policy structure and syntax.
Precautions
Custom policies take effect only at the account level and do not take effect at the resource group level. If you want the console to display only specific clusters for a RAM user, you can use a resource group to grant the related permissions on the clusters to the RAM user. For more information, see Use a resource group to grant permissions on a specific cluster.
Procedure
Policy examples
- <yourAccountId>: Replace it with the ID of your Alibaba Cloud account. Wildcards (
*
) are not supported. To obtain the ID of your Alibaba Cloud account, perform the following operations: Log on to the Alibaba Cloud Management Console and move the pointer over the profile picture in the upper-right corner. Then, you can view the ID of your Alibaba Cloud account. - <yourInstanceId>: Replace it with the ID of the Elasticsearch cluster whose permissions you want to
grant. Wildcards (
*
) are not supported. For more information about how to obtain the ID, see View the basic information of a cluster.
- Policy for an administrator
In this example, all the operation permissions on all Elasticsearch clusters are granted to a RAM user of the Alibaba Cloud account whose ID is indicated by <yourAccountId>.
{ "Statement": [ { "Action": [ "elasticsearch:*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cms:*" ], "Effect": "Allow", "Resource": "*" }, { "Action": "bss:PayOrder", "Effect": "Allow", "Resource": "*" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "collector.elasticsearch.aliyuncs.com" ] } } } ], "Version": "1" }
- Policy for operation permissions on a specific cluster
In this example, the following permissions are granted to a RAM user of the Alibaba Cloud account whose ID is indicated by <yourAccountId>:
- Permissions on CloudMonitor
- Permission to perform all Elasticsearch-related operations on a specific cluster
- Permission to view clusters
- Permission to view all the tags that are added to clusters
- Permission to view shippers
Note External interfaces that are used to call some services, such as Beats, Advanced Monitoring and Alerting, and Tag, are integrated into the cluster management page of the Elasticsearch console. Therefore, when you grant the permissions on a specific cluster, you must refer to the following sample policy document.{ "Statement": [ { "Action": [ "elasticsearch:*" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<yourAccountId>:instances/<yourInstanceId>" }, { "Action": [ "cms:DescribeActiveMetricRuleList", "cms:ListAlarm", "cms:QueryMetricList" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "elasticsearch:ListTags" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<yourAccountId>:tags/*" }, { "Action": [ "elasticsearch:ListInstance", "elasticsearch:ListSnapshotReposByInstanceId" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<yourAccountId>:instances/*" }, { "Action": [ "elasticsearch:ListLogstash" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<yourAccountId>:logstashes/*" }, { "Action": [ "elasticsearch:ListCollectors" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<yourAccountId>:collectors/*" } ], "Version": "1" }
Action | Description |
---|---|
|
The permissions on CloudMonitor.
|
|
The permission to pay for orders. After the RAM user is granted the permission, you can use the RAM user to pay for the purchase orders of resources. |
|
The permissions to access the VPCs and vSwitches that belong to the Alibaba Cloud
account. After the RAM user is granted the permissions, the VPC and vSwitch that belong
to the Alibaba Cloud account can be selected when you use the RAM user to purchase
resources.
Important When you authorize a RAM user to purchase resources, you must also specify
["bss:PayOrder"] in the Action element. If you do not specify ["bss:PayOrder"], the system displays
a message that indicates insufficient permissions when you use the RAM user to purchase
resources.
|
|
All operation permissions on Elasticsearch clusters. After the RAM user is granted
the permissions, you can use the RAM user to perform operations on all or specific
clusters.
Important The permissions specified by
elasticsearch:* do not include permissions on the Advanced Monitoring and Alerting, CloudMonitor,
or Tag service. You must separately specify permissions on these services. If you
do not specify permissions on these services, the system displays a message that indicates
insufficient permissions after you use the RAM user to go to a related page. However,
authorized features on this page can be used.
|
|
The permission to query all the tags that are added to Elasticsearch clusters. After the RAM user is granted the permission, you can use the RAM user to view all the tags that are added to Elasticsearch clusters. |
|
|
|
The permission to query Beats shippers. After the RAM user is granted the permission, you can use the RAM user to view all the created Beats shippers in the Elasticsearch console. |
|
The permission to query Logstash clusters. After the RAM user is granted the permission, you can use the RAM user to view all the Logstash clusters in the related region on the Logstash Clusters page. |
Effect | Description |
---|---|
Allow | Indicates that the RAM user can be used to perform the operations that are specified in the Action element. |
Deny | Indicates that the RAM user cannot be used to perform the operations that are specified in the Action element. |
Resource | Description |
---|---|
* | Indicates all clusters. |
<yourInstanceId> | Indicates a specific cluster. You must replace the ID with the ID of the cluster whose permissions you want to grant. For more information about how to obtain the ID, see View the basic information of a cluster. |