If you want to allow a RAM user to view and manage only a specific cluster in the Alibaba Cloud Elasticsearch console, you can use a resource group to grant permissions on the cluster to the RAM user. This topic describes how to use a resource group to grant permissions on a specific cluster to a RAM user in the Resource Access Management (RAM) console.

Procedure

If you select the default resource group when you create an Alibaba Cloud Elasticsearch cluster, the cluster is created in the default resource group. In this case, when you grant permissions on the cluster to a RAM user, you can select a specific resource group, but the resource group does not take effect for the authorization. To resolve this issue, you must attach a custom policy whose effective scope is the Alibaba Cloud account to which the RAM user belongs to the RAM user. Then, you must create a resource group, transfer the Elasticsearch cluster to the resource group, and attach a system policy whose effective scope is the resource group to the RAM user. After you complete these operations, you can log on to the Elasticsearch console as the RAM user to check whether the RAM user is granted the permissions on the desired cluster. The following sections describe the detailed procedure.
Note If your Elasticsearch cluster is created in a custom resource group and you want to grant permissions on the cluster to a RAM user, you need to only attach a custom policy whose effective scope is the custom resource group to the RAM user. For more information, see Grant permissions to a RAM user. When you attach the custom policy to the RAM user in the RAM console, set the Authorized Scope parameter to Specific Resource Group and select the custom policy in the Select Policy section.
  1. Step 1: Attach a custom policy whose effective scope is the entire Alibaba Cloud account to a RAM user of the account
  2. Step 2: Create a resource group and attach a system policy whose effective scope is a specific resource group to the RAM user
  3. Step 3: Check whether the permissions on the cluster are granted to the RAM user

Step 1: Attach a custom policy whose effective scope is the entire Alibaba Cloud account to a RAM user of the account

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. Create a custom policy.
    For more information, see Create a custom policy. The following code provides an example for the policy document:
    {
    "Statement": [
        {
            "Action": [
                "elasticsearch:*"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:instances/<yourInstanceId>"
        },
        {
            "Action": [
                "elasticsearch:ListCollectors"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:collectors/*"
        },
        {
            "Action": [
                "elasticsearch:ListInstance",
                "elasticsearch:ListSnapshotReposByInstanceId"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:instances/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cms:ListAlarm",
                "cms:DescribeActiveMetricRuleList",
                "cms:QueryMetricList"
            ],
            "Resource": "*"
        },
        {
            "Action": [
                "elasticsearch:ListTags"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:*:tags/*"
        },
        {
            "Action": [
                "elasticsearch:GetEmonProjectList"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:*:emonProjects/*"
        },
        {
            "Action": [
                "elasticsearch:getEmonUserConfig"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:*:emonUserConfig/*"
        },
       {
          "Action": "ims:*",
          "Effect": "Allow",
          "Resource": "acs:ims::<yourAccountId>:application/*"
       }
    ],
    "Version": "1"
}
    Before you use the preceding code, you must replace the variables in the code with the desired values.
    Variable Description
    <yourAccountId> Replace this variable with the ID of your Alibaba Cloud account. Wildcards (*) are not supported. To obtain the ID of your Alibaba Cloud account, perform the following operations: Log on to the Alibaba Cloud Management Console and move the pointer over the profile picture in the upper-right corner. Then, you can view the ID of your Alibaba Cloud account.
    <yourInstanceId> Replace this variable with the ID of the Elasticsearch cluster whose permissions you want to grant. Wildcards (*) are not supported. For information about how to obtain the ID, see View the basic information of a cluster.
    External interfaces that are used to call specific services, such as Beats, Advanced Monitoring and Alerting, and Tag, are integrated into the cluster management page of the Elasticsearch console. If you want to manage only the clusters in a specific resource group in the Elasticsearch console as a RAM user, you must configure a custom policy whose effective scope is the Alibaba Cloud account to which the RAM user belongs and attach the policy to the RAM user. This way, the RAM user can pass permission verification on the cluster management page.
    Note After the policy for a specific Elasticsearch or Logstash cluster is created and attached to a RAM user, you can use one of the following URLs to directly access the Elasticsearch or Logstash cluster as the RAM user:
    • https://elasticsearch.console.aliyun.com/{regionId}/instances/{instanceId}/base
    • https://elasticsearch.console.aliyun.com/{regionId}/logstashes/{instanceId}/base
  3. Create a RAM user.
    For more information, see Create a RAM user.
  4. Attach the newly created custom policy whose effective scope is the Alibaba Cloud account to which the RAM user belongs to the RAM user.
    For more information, see Grant permissions to a RAM user. When you attach the custom policy to the RAM user, set the Authorized Scope parameter to Alibaba Cloud Account and select the custom policy in the Select Policy section. Attach the custom policy to the RAM user

Step 2: Create a resource group and attach a system policy whose effective scope is a specific resource group to the RAM user

  1. Log on to the Resource Management console.
  2. Create a resource group.
    For more information, see Create a resource group.
  3. Transfer the desired cluster from the default resource group to the newly created resource group.
    For more information, see Transfer resources across resource groups.
  4. Attach a system policy whose effective scope is the newly created resource group to the RAM user.
    For more information, see Add RAM authorization. When you attach the system policy to the RAM user, the Authorized Scope parameter is automatically set to Specific Resource Group, and the newly created resource group is automatically selected. You need to only select the system policy AliyunElasticsearchFullAccess in the Select Policy section. Grant Permissions panel
  5. View the authorization information of the RAM user.
    1. Click the Permissions tab.
    2. Click the name of the RAM user in the Principal column.
    3. On the page that appears, click the Permissions tab and view the authorization information of the RAM user.

Step 3: Check whether the permissions on the cluster are granted to the RAM user

  1. Log on to the Elasticsearch console as the RAM user.
  2. In the top navigation bar, select the region where the desired cluster resides.
  3. In the left-side navigation pane, click Elasticsearch Clusters.
  4. In the top navigation bar, select the newly created resource group and view the information about the cluster.