If the system policies provided by Alibaba Cloud Elasticsearch do not meet your requirements, you can create custom policies. Custom policies enable finer-grained permission management than system policies. This topic describes how to create a custom policy and provides policy examples.

Background information

Elasticsearch supports the following system policies:
  • AliyunElasticsearchReadOnlyAccess: grants the read-only permissions on Elasticsearch or Logstash clusters. This policy can be attached to read-only users.
  • AliyunElasticsearchFullAccess: grants the management permissions on Elasticsearch clusters, Logstash clusters, or Beats shippers. This policy can be attached to administrators.
Note
  • The preceding policies contain only permissions on Elasticsearch clusters, Logstash clusters, or Beats shippers. The policies do not contain permissions on CloudMonitor or tags. If you want to grant permissions on CloudMonitor or tags, you must create the related custom policies and attach the policies to RAM users. For more information about how to grant permissions on CloudMonitor or tags, see Policy examples in this topic.
  • By default, Elasticsearch clusters are created in the default resource group. After you attach a custom policy for a specific cluster to a RAM user and use the RAM user to log on to the Elasticsearch console, all the clusters of your Alibaba Cloud account rather than the specific cluster are displayed in the console. If you want the console to display only the specific cluster, you can use a resource group to grant the permissions on the cluster to the RAM user. For more information, see Use a resource group to grant permissions on a specific cluster.

Prerequisites

You have understood the policy structure and syntax. For more information, see Policy structure and syntax.

Procedure

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. On the JSON tab, enter the policy document and click Next Step.
    You can also click Import System Policy on the right, import an existing system policy as prompted in the Import System Policy dialog box, and then modify the policy to use the modified policy as a custom policy. JSON tab
    Enter a script for the permission that you want to grant. Examples:
    • Permission to access the virtual private clouds (VPCs) that belong to your Alibaba Cloud account 
      "elasticsearch:DescribeVpcs","elasticsearch:DescribeVSwitches"
      Note For more information about the related policy document, see the document of the AliyunVPCReadOnlyAccess policy.
    • Permission to pay for orders 
      ["bss:PayOrder"]
      Note For more information about the related policy document, see the document of the AliyunBSSOrderAccess policy.
    • Permission to call API operations
      Method URI Resource Action
      GET /instances instances/* ListInstance
      POST /instances instances/* CreateInstance
      GET /instances/instanceId instances/instanceId DescribeInstance
      DELETE /instances/instanceId instances/instanceId DeleteInstance
      POST /instances/instanceId/actions/restart instances/instanceId RestartInstance
      PUT /instances/instanceId instances/instanceId UpdateInstance

    For more information, see Policy examples in this topic.

  6. Configure the Name and Note parameters.
  7. Check and optimize the content of the custom policy.
    • Basic optimization

      The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:

      • Delete unnecessary conditions.
      • Delete unnecessary arrays.
    • Optional:Advanced optimization

      You can move the pointer over Optional: Advanced Optimize and click Perform. The system performs the following operations during advanced optimization:

      • Split resources or conditions that are incompatible with actions.
      • Narrow down resources.
      • Deduplicate or merge policy statements.
  8. Click OK.

Policy examples

Notice
Before you use the sample code provided in this section, you must replace the following information with your actual information:
  • 133071096032****: Replace this ID with the ID of your Alibaba Cloud account. You can move the pointer over the profile picture in the upper-right corner of the console to obtain the ID of your Alibaba Cloud account.
  • es-cn-tl32awopr002h****: Replace this ID with the ID of the Elasticsearch cluster whose permissions you want to grant. For more information about how to obtain the ID, see View the basic information of a cluster.
  • Policy for an administrator
    In this example, all the operation permissions on all Elasticsearch clusters are granted to a RAM user of the Alibaba Cloud account whose ID is 133071096032****. 
    {
    "Statement": [
        {
            "Action": [
                "elasticsearch:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cms:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "bss:PayOrder",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "collector.elasticsearch.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
  • Policy for operation permissions on a specific cluster
    In this example, the following permissions are granted to a RAM user of the Alibaba Cloud account whose ID is 133071096032****:
    • Permissions on CloudMonitor
    • Permission to perform all Elasticsearch-related operations on a specific cluster
    • Permission to view clusters
    • Permission to view all the tags that are added to clusters
    • Permission to view shippers
    Note External interfaces that are used to call some services, such as Beats, Advanced Monitoring and Alerting, and Tag, are integrated into the cluster management page of the Elasticsearch console. Therefore, when you grant the permissions on a specific cluster, you must refer to the following sample policy document. 
    {
    "Statement": [
        {
            "Action": [
                "elasticsearch:*"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:133071096032****:instances/es-cn-2r42b7uyg003k****"
        },
        {
            "Action": [
                "cms:DescribeActiveMetricRuleList",
                "cms:ListAlarm",
                "cms:QueryMetricList"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "elasticsearch:ListTags"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:133071096032****:tags/*"
        },
        {
            "Action": [
                "elasticsearch:ListInstance",
                "elasticsearch:ListSnapshotReposByInstanceId"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:133071096032****:instances/*"
        },
        {
            "Action": [
                "elasticsearch:ListLogstash"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:133071096032****:logstashes/*"
        }, 
        {
            "Action": [
                "elasticsearch:ListCollectors"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:133071096032****:collectors/*"
        }
    ],
    "Version": "1"
}
Table 1. Action element
Action Description 
[
  "cms:DescribeActiveMetricRuleList",
  "cms:ListAlarm",
  "cms:QueryMetricList"
]
 The permissions on CloudMonitor.
  • cms:DescribeActiveMetricRuleList: the permission to query the services for which CloudMonitor is activated within the Alibaba Cloud account.
  • cms:ListAlarm: the permission to query all or specific alert rules.
  • cms:QueryMetricList: the permission to query the monitoring data of instances or clusters of a specific service within a period. 
"bss:PayOrder"
 The permission to pay for orders. After the RAM user is granted the permission, you can use the RAM user to pay for the purchase orders of resources. 
[
  "elasticsearch:DescribeVpcs",
  "elasticsearch:DescribeVSwitches"
]
 The permissions to access the VPCs and vSwitches that belong to the Alibaba Cloud account. After the RAM user is granted the permissions, the VPC and vSwitch that belong to the Alibaba Cloud account can be selected when you use the RAM user to purchase resources.
Notice When you authorize a RAM user to purchase resources, you must also specify ["bss:PayOrder"] in the Action element. If you do not specify ["bss:PayOrder"], the system displays a message that indicates insufficient permissions when you use the RAM user to purchase resources. 
[
  "elasticsearch:*"
]
 All operation permissions on Elasticsearch clusters. After the RAM user is granted the permissions, you can use the RAM user to perform operations on all or specific clusters.
Notice The permissions specified by elasticsearch:* do not include permissions on the Advanced Monitoring and Alerting, CloudMonitor, or Tag service. You must separately specify permissions on these services. If you do not specify permissions on these services, the system displays a message that indicates insufficient permissions after you use the RAM user to go to a related page. However, authorized features on this page can be used. 
[
  "elasticsearch:ListTags"
]
 The permission to query all the tags that are added to Elasticsearch clusters. After the RAM user is granted the permission, you can use the RAM user to view all the tags that are added to Elasticsearch clusters. 
[
  "elasticsearch:ListInstance",
  "elasticsearch:ListSnapshotReposByInstanceId" 
]
  • elasticsearch:ListInstance: the permission to query Elasticsearch clusters.
  • elasticsearch:ListSnapshotReposByInstanceId: the permission to query shared Object Storage Service (OSS) repositories. 
[
  "elasticsearch:ListCollectors"
]
 The permission to query Beats shippers. After the RAM user is granted the permission, you can use the RAM user to view all the created Beats shippers in the Elasticsearch console. 
[
  "elasticsearch:ListLogstash"
]
 The permission to query Logstash clusters. After the RAM user is granted the permission, you can use the RAM user to view all the Logstash clusters in the related region on the Logstash Clusters page.
Table 2. Effect element
Effect Description
Allow Indicates that the RAM user can be used to perform the operations that are specified in the Action element.
Deny Indicates that the RAM user cannot be used to perform the operations that are specified in the Action element.
Table 3. Resource element

For more information, see Objects supported for authorization.

Resource Description
* Indicates all clusters.
es-cn-tl32awopr002h**** Indicates a specific cluster. You must replace the ID with the ID of the cluster whose permissions you want to grant. For more information about how to obtain the ID, see View the basic information of a cluster.

What to do next

After a custom policy is created, use your Alibaba Cloud account to attach the policy to a RAM user in the RAM console or by using a RAM SDK. For more information, see Grant permissions to a RAM user.