All Products
Search
Document Center

Elasticsearch:Create a custom policy

Last Updated:Oct 20, 2023

If the system policies provided by Alibaba Cloud Elasticsearch do not meet your requirements, you can create custom policies. Custom policies enable finer-grained permission management than system policies. This topic describes how to create a custom policy and provides policy examples.

Background information

The following table list the system policies that are provided by Alibaba Cloud Elasticsearch.

System policy

Description

AliyunElasticsearchReadOnlyAccess

Grants the read-only permissions on Elasticsearch or Logstash clusters. This policy can be attached to read-only users.

AliyunElasticsearchFullAccess

Grants the management permissions on Elasticsearch clusters, Logstash clusters, or Beats shippers. This policy can be attached to administrators.

Note

The preceding policies contain only permissions on Elasticsearch clusters, Logstash clusters, or Beats shippers. The policies do not contain permissions on CloudMonitor or tags. If you want to grant permissions on CloudMonitor or tags, you must create the related custom policies and attach the policies. For more information, see Policy for operation permissions on a specific cluster.

Prerequisites

You have understood the policy structure and syntax. For more information, see Policy structure and syntax.

Precautions

Custom policies take effect only at the account level and do not take effect at the resource group level. If you want the console to display only specific clusters for a RAM user, you can use a resource group to grant the related permissions on the clusters to the RAM user. For more information, see Use a resource group to grant permissions on a specific cluster.

Procedure

For more information, see Create a custom policy on the JSON tab. You can enter a policy document based on your business requirements. You can also import an existing system policy as prompted and modify the policy to use the modified policy as a custom policy.

Examples:

  • Permission to access the virtual private clouds (VPCs) that belong to your Alibaba Cloud account

    "elasticsearch:DescribeVpcs","elasticsearch:DescribeVSwitches"
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "elasticsearch:DescribeVpcs",
            "elasticsearch:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
  • Permission to pay for orders

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "bss:PayOrder"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }

For more information, see Policy examples.

Policy examples

Important

Before you use the sample code provided in this section, you must replace the following information with your actual information:

  • <yourAccountId>: Replace it with the ID of your Alibaba Cloud account. Wildcards (*) are not supported. To obtain the ID of your Alibaba Cloud account, perform the following operations: Log on to the Alibaba Cloud Management Console and move the pointer over the profile picture in the upper-right corner. Then, you can view the ID of your Alibaba Cloud account.

  • <yourInstanceId>: Replace it with the ID of the Elasticsearch cluster whose permissions you want to grant. Wildcards (*) are not supported. For more information about how to obtain the ID, see View the basic information of a cluster.

Policy for an administrator

In this example, all the operation permissions on all Elasticsearch clusters are granted to a RAM user of the Alibaba Cloud account whose ID is indicated by <yourAccountId>.

{
    "Statement": [
        {
            "Action": [
                "elasticsearch:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cms:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "bss:PayOrder",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "collector.elasticsearch.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Policy for operation permissions on a specific cluster

In this example, the following permissions are granted to a RAM user of the Alibaba Cloud account whose ID is indicated by <yourAccountId>:

  • Permissions on CloudMonitor

  • Permission to perform all Elasticsearch-related operations on a specific cluster

  • Permission to view clusters

  • Permission to view all the tags that are added to clusters

  • Permission to view shippers

Note

External interfaces that are used to call some services, such as Beats, Advanced Monitoring and Alerting, and Tag, are integrated into the cluster management page of the Elasticsearch console. Therefore, when you grant the permissions on a specific cluster, you must refer to the following sample policy document.

{
    "Statement": [
        {
            "Action": [
                "elasticsearch:*"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:instances/<yourInstanceId>"
        },
        {
            "Action": [
                "cms:DescribeActiveMetricRuleList",
                "cms:ListAlarm",
                "cms:QueryMetricList"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "elasticsearch:ListTags"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:tags/*"
        },
        {
            "Action": [
                "elasticsearch:ListInstance",
                "elasticsearch:ListSnapshotReposByInstanceId"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:instances/*"
        },
        {
            "Action": [
                "elasticsearch:ListLogstash"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:logstashes/*"
        }, 
        {
            "Action": [
                "elasticsearch:ListCollectors"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:collectors/*"
        }
    ],
    "Version": "1"
}
Table 1. Action element

Action

Description

[
  "cms:DescribeActiveMetricRuleList",
  "cms:ListAlarm",
  "cms:QueryMetricList"
]

The permissions on CloudMonitor.

  • cms:DescribeActiveMetricRuleList: the permission to query the services for which CloudMonitor is activated within the Alibaba Cloud account.

  • cms:ListAlarm: the permission to query all or specific alert rules.

  • cms:QueryMetricList: the permission to query the monitoring data of instances or clusters of a specific service within a period.

"bss:PayOrder"

The permission to pay for orders. After the RAM user is granted the permission, you can pay for the purchase orders of resources as the RAM user.

[
  "elasticsearch:DescribeVpcs",
  "elasticsearch:DescribeVSwitches"
]

The permissions to access the VPCs and vSwitches that belong to the Alibaba Cloud account. After the RAM user is granted the permissions, the VPC and vSwitch that belong to the Alibaba Cloud account can be selected when you purchase resources as the RAM user.

Important

When you authorize a RAM user to purchase resources, you must also specify ["bss:PayOrder"] in the Action element. Otherwise, the system displays a message that indicates insufficient permissions when you purchase resources as the RAM user.

[
  "elasticsearch:*"
]

All operation permissions on Elasticsearch clusters. After the RAM user is granted the permissions, you can perform operations on all or specific clusters as the RAM user.

Important

The permissions specified by elasticsearch:* do not include permissions on the Advanced Monitoring and Alerting, CloudMonitor, or Tag service. You must separately specify permissions on these services. If you do not specify permissions on these services, the system displays a message that indicates insufficient permissions after you go to a related page as the RAM user. However, authorized features on this page can be used.

[
  "elasticsearch:ListTags"
]

The permission to query all the tags that are added to Elasticsearch clusters. After the RAM user is granted the permission, you can view all the tags that are added to Elasticsearch clusters as the RAM user.

[
  "elasticsearch:ListInstance",
  "elasticsearch:ListSnapshotReposByInstanceId" 
]
  • elasticsearch:ListInstance: the permission to query Elasticsearch clusters.

  • elasticsearch:ListSnapshotReposByInstanceId: the permission to query shared Object Storage Service (OSS) repositories.

[
  "elasticsearch:ListCollectors"
]

The permission to query Beats shippers. After the RAM user is granted the permission, you can view all the created Beats shippers in the Elasticsearch console as the RAM user.

[
  "elasticsearch:ListLogstash"
]

The permission to query Logstash clusters. After the RAM user is granted the permission, you can view all the Logstash clusters in the related region on the Logstash Clusters page as the RAM user.

Table 2. Effect element

Effect

Description

Allow

Indicates that the RAM user can be used to perform the operations that are specified in the Action element.

Deny

Indicates that the RAM user cannot be used to perform the operations that are specified in the Action element.

Table 3. Resource element

For more information, see Elasticsearch objects supported for authorization.

Resource

Description

*

Indicates all clusters.

<yourInstanceId>

Indicates a specific cluster. You must replace the ID with the ID of the cluster whose permissions you want to grant. For more information about how to obtain the ID, see View the basic information of a cluster.

Policy for API operations

The following table lists the objects that you need to specify for the Resource and Action elements in a policy used to grant permissions to call API operations.

Method

URI

Resource

Action

GET

/instances

instances/*

ListInstance

POST

/instances

instances/*

CreateInstance

GET

/instances/instanceId

instances/instanceId

DescribeInstance

DELETE

/instances/instanceId

instances/instanceId

DeleteInstance

POST

/instances/instanceId/actions/restart

instances/instanceId

RestartInstance

PUT

/instances/instanceId

instances/instanceId

UpdateInstance

What to do next

After a custom policy is created, use your Alibaba Cloud account to attach the policy to a RAM user in the RAM console or by using a RAM SDK. For more information, see Grant permissions to RAM users.