Managing permissions for specific clusters in Alibaba Cloud Elasticsearch can be simplified by using resource groups and RAM (Resource Access Management) users. This article demonstrates how to set up and assign custom permissions to RAM users, ensuring secured and compartmentalized access to your Elasticsearch clusters.
For detailed information about Alibaba Cloud Elasticsearch, visit the official product page.
Before we begin, make sure you have an Alibaba Cloud account with access to RAM and Elasticsearch services.
1)Log on to the RAM console by using your Alibaba Cloud account.
2)Create a custom policy.For more information, see Create a custom policy. The following code provides an example for the policy document:
{
"Statement": [
{
"Action": [
"elasticsearch:*"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:instances/<yourInstanceId>"
},
{
"Action": [
"elasticsearch:ListCollectors"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:collectors/*"
},
{
"Action": [
"elasticsearch:ListInstance",
"elasticsearch:ListSnapshotReposByInstanceId"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:instances/*"
},
{
"Effect": "Allow",
"Action": [
"cms:ListAlarm",
"cms:DescribeActiveMetricRuleList",
"cms:QueryMetricList"
],
"Resource": "*"
},
{
"Action": [
"elasticsearch:ListTags"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:*:tags/*"
},
{
"Action": [
"elasticsearch:GetEmonProjectList"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:*:emonProjects/*"
},
{
"Action": [
"elasticsearch:getEmonUserConfig"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:*:emonUserConfig/*"
},
{
"Action": "ims:*",
"Effect": "Allow",
"Resource": "acs:ims::<yourAccountId>:application/*"
}
],
"Version": "1"
}
Before you use the preceding code, you must replace the variables in the code with the desired values.
Variable | Description |
---|---|
<yourAccountId> |
Replace this variable with the ID of your Alibaba Cloud account. Wildcards (*) are not supported. To obtain the ID of your Alibaba Cloud account, perform the following operations: Log on to the Alibaba Cloud Management Console and move the pointer over the profile picture in the upper-right corner. Then, you can view the ID of your Alibaba Cloud account. |
<yourInstanceId> |
Replace this variable with the ID of the Elasticsearch cluster whose permissions you want to grant. Wildcards (*) are not supported. For information about how to obtain the ID, see View the basic information of a cluster |
External interfaces that are used to call specific services, such as Beats, Advanced Monitoring and Alerting, and Tag, are integrated into the cluster management page of the Elasticsearch console. If you want to manage only the clusters in a specific resource group in the Elasticsearch console as a RAM user, you must configure a custom policy whose effective scope is the Alibaba Cloud account to which the RAM user belongs and attach the policy to the RAM user. This way, the RAM user can pass permission verification on the cluster management page.
3)Create a RAM user.For more information, see Create a RAM user
4)Attach the newly created custom policy whose effective scope is the Alibaba Cloud account to which the RAM user belongs to the RAM user.For more information, see Grant permissions to a RAM user When you attach the custom policy to the RAM user, set the Authorized Scope parameter to Alibaba Cloud Account and select the custom policy in the Select Policy section.
1)Log on to the Resource Management console
2)Create a Resource Group.
In the Resource Management console, create a new resource group. For instructions, see the Resource Management guide.
3)Transfer the Elasticsearch Cluster.
Move your Elasticsearch cluster to the newly created resource group. For more information, refer to the guide on transferring resources across resource groups.
4)Attach the System Policy.
Attaching the AliyunElasticsearchFullAccess policy to the RAM user grants necessary permissions for the specific resource group.
5)View the authorization information of the RAM user.
1)Log on to the Elasticsearch console as the RAM user.
2)In the top navigation bar, select the region where the desired cluster resides.
3)In the left-side navigation pane, click Elasticsearch Clusters.
4)In the top navigation bar, select the newly created resource group and view the information about the cluster.
By employing resource groups to manage RAM user permissions in Alibaba Cloud Elasticsearch, you can streamline cluster access and enhance security. Leverage this approach for efficient and secure cluster management.
Ready to start your journey with Elasticsearch on Alibaba Cloud? Explore our tailored Cloud solutions and services to take the first step towards transforming your data into a visual masterpiece.
How to Seamlessly Integrate OSS with Alibaba Cloud Elasticsearch Using Regular Service Roles
Securing Your Elasticsearch Clusters: Comprehensive Access Control Methods
Data Geek - June 26, 2024
Data Geek - April 24, 2024
Data Geek - July 2, 2024
Data Geek - April 29, 2024
Data Geek - May 9, 2024
Data Geek - May 9, 2024
Alibaba Cloud Elasticsearch helps users easy to build AI-powered search applications seamlessly integrated with large language models, and featuring for the enterprise: robust access control, security monitoring, and automatic updates.
Learn MoreApsaraDB Dedicated Cluster provided by Alibaba Cloud is a dedicated service for managing databases on the cloud.
Learn MoreSecure your cloud resources with Resource Access Management to define fine-grained access permissions for users and groups
Learn MoreOrganize and manage your resources in a hierarchical manner by using resource directories, folders, accounts, and resource groups.
Learn MoreMore Posts by Data Geek