×
Community Blog Simplified Cluster Management in Alibaba Cloud Elasticsearch: A Guide to Resource-based Permissions

Simplified Cluster Management in Alibaba Cloud Elasticsearch: A Guide to Resource-based Permissions

This guide provides a step-by-step approach to configuring permissions efficiently.

Introduction

Managing permissions for specific clusters in Alibaba Cloud Elasticsearch can be simplified by using resource groups and RAM (Resource Access Management) users. This article demonstrates how to set up and assign custom permissions to RAM users, ensuring secured and compartmentalized access to your Elasticsearch clusters.

For detailed information about Alibaba Cloud Elasticsearch, visit the official product page.

Prerequisites

Before we begin, make sure you have an Alibaba Cloud account with access to RAM and Elasticsearch services.

Step 1: Attach a Custom Policy to a RAM User

1)Log on to the RAM console by using your Alibaba Cloud account.
2)Create a custom policy.For more information, see Create a custom policy. The following code provides an example for the policy document:

{
    "Statement": [
        {
            "Action": [
                "elasticsearch:*"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:instances/<yourInstanceId>"
        },
        {
            "Action": [
                "elasticsearch:ListCollectors"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:collectors/*"
        },
        {
            "Action": [
                "elasticsearch:ListInstance",
                "elasticsearch:ListSnapshotReposByInstanceId"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:instances/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cms:ListAlarm",
                "cms:DescribeActiveMetricRuleList",
                "cms:QueryMetricList"
            ],
            "Resource": "*"
        },
        {
            "Action": [
                "elasticsearch:ListTags"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:*:tags/*"
        },
        {
            "Action": [
                "elasticsearch:GetEmonProjectList"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:*:emonProjects/*"
        },
        {
            "Action": [
                "elasticsearch:getEmonUserConfig"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:*:emonUserConfig/*"
        },
       {
          "Action": "ims:*",
          "Effect": "Allow",
          "Resource": "acs:ims::<yourAccountId>:application/*"
       }
    ],
    "Version": "1"
}

Before you use the preceding code, you must replace the variables in the code with the desired values.

Variable Description
<yourAccountId> Replace this variable with the ID of your Alibaba Cloud account. Wildcards (*) are not supported. To obtain the ID of your Alibaba Cloud account, perform the following operations: Log on to the Alibaba Cloud Management Console and move the pointer over the profile picture in the upper-right corner. Then, you can view the ID of your Alibaba Cloud account.
<yourInstanceId> Replace this variable with the ID of the Elasticsearch cluster whose permissions you want to grant. Wildcards (*) are not supported. For information about how to obtain the ID, see View the basic information of a cluster

External interfaces that are used to call specific services, such as Beats, Advanced Monitoring and Alerting, and Tag, are integrated into the cluster management page of the Elasticsearch console. If you want to manage only the clusters in a specific resource group in the Elasticsearch console as a RAM user, you must configure a custom policy whose effective scope is the Alibaba Cloud account to which the RAM user belongs and attach the policy to the RAM user. This way, the RAM user can pass permission verification on the cluster management page.

3)Create a RAM user.For more information, see Create a RAM user

4)Attach the newly created custom policy whose effective scope is the Alibaba Cloud account to which the RAM user belongs to the RAM user.For more information, see Grant permissions to a RAM user When you attach the custom policy to the RAM user, set the Authorized Scope parameter to Alibaba Cloud Account and select the custom policy in the Select Policy section.

image.png

Step 2: Create a Resource Group and Attach a System Policy

1)Log on to the Resource Management console

2)Create a Resource Group.
In the Resource Management console, create a new resource group. For instructions, see the Resource Management guide.

3)Transfer the Elasticsearch Cluster.
Move your Elasticsearch cluster to the newly created resource group. For more information, refer to the guide on transferring resources across resource groups.

4)Attach the System Policy.
Attaching the AliyunElasticsearchFullAccess policy to the RAM user grants necessary permissions for the specific resource group.

image.png
5)View the authorization information of the RAM user.

  • Click the Permissions tab.
  • Click the name of the RAM user in the Principal column.
  • On the page that appears, click the Permissions tab and view the authorization information of the RAM user.

Step 3: Check whether the permissions on the cluster are granted to the RAM user

1)Log on to the Elasticsearch console as the RAM user.
2)In the top navigation bar, select the region where the desired cluster resides.
3)In the left-side navigation pane, click Elasticsearch Clusters.
4)In the top navigation bar, select the newly created resource group and view the information about the cluster.

Concluding Thoughts

By employing resource groups to manage RAM user permissions in Alibaba Cloud Elasticsearch, you can streamline cluster access and enhance security. Leverage this approach for efficient and secure cluster management.

Ready to start your journey with Elasticsearch on Alibaba Cloud? Explore our tailored Cloud solutions and services to take the first step towards transforming your data into a visual masterpiece.

Click here to embark on your 30-Day Free Trial

0 1 0
Share on

Data Geek

99 posts | 4 followers

You may also like

Comments

Data Geek

99 posts | 4 followers

Related Products