If you want to allow a RAM user to view and manage only a specific cluster in the Alibaba Cloud Elasticsearch console, you can use a resource group to grant permissions on the cluster to the RAM user. This topic describes how to use a resource group to grant permissions on a specific cluster to a RAM user.
Procedure
If you select the default resource group when you create an Alibaba Cloud Elasticsearch cluster, the cluster is created in the default resource group. In this case, when you grant permissions on the cluster to a RAM user, you can select a specific resource group, but the resource group does not take effect for the authorization.
To resolve this issue, you must attach a custom policy whose effective scope is the Alibaba Cloud account to which the RAM user belongs to the RAM user. Then, you must create a resource group, transfer the Elasticsearch cluster to the resource group, and attach a system policy whose effective scope is the resource group to the RAM user.
Step 1: Attach a custom policy whose effective scope is the entire Alibaba Cloud account to a RAM user of the account
Log on to the RAM console as a RAM user who has administrative rights.
Create a custom policy.
For more information, see Create a custom policy. The following code provides an example for the policy document:
{ "Statement": [ { "Action": [ "elasticsearch:*" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<yourAccountId>:instances/<yourInstanceId>" }, { "Action": [ "elasticsearch:ListCollectors" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<yourAccountId>:collectors/*" }, { "Action": [ "elasticsearch:ListInstance", "elasticsearch:ListSnapshotReposByInstanceId" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:<yourAccountId>:instances/*" }, { "Effect": "Allow", "Action": [ "cms:ListAlarm", "cms:DescribeActiveMetricRuleList", "cms:QueryMetricList" ], "Resource": "*" }, { "Action": [ "elasticsearch:ListTags" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:*:tags/*" }, { "Action": [ "elasticsearch:GetEmonProjectList" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:*:emonProjects/*" }, { "Action": [ "elasticsearch:getEmonUserConfig" ], "Effect": "Allow", "Resource": "acs:elasticsearch:*:*:emonUserConfig/*" }, { "Action": "ims:*", "Effect": "Allow", "Resource": "acs:ims::<yourAccountId>:application/*" } ], "Version": "1" }Before you use the preceding code, you must replace the variables in the code with the desired values.
Variable
Description
<yourAccountId>
Replace this variable with the ID of your Alibaba Cloud account. Wildcards (
*) are not supported. To obtain the ID of your Alibaba Cloud account, perform the following operations: Log on to the Alibaba Cloud Management Console and move the pointer over the profile picture in the upper-right corner. Then, you can view the ID of your Alibaba Cloud account.<yourInstanceId>
Replace this variable with the ID of the Elasticsearch cluster whose permissions you want to grant. Wildcards (
*) are not supported. For more information about how to obtain the ID, see View the basic information of a cluster.External interfaces that are used to call specific services, such as Beats, Advanced Monitoring and Alerting, and Tag, are integrated into the cluster management page of the Elasticsearch console. If you want to manage only the clusters in a specific resource group in the Elasticsearch console as a RAM user, you must configure a custom policy whose effective scope is the Alibaba Cloud account to which the RAM user belongs and attach the policy to the RAM user. This way, the RAM user can pass permission verification on the cluster management page.
NoteAfter the policy for a specific Elasticsearch or Logstash cluster is created and attached to a RAM user, you can use one of the following URLs to directly access the Elasticsearch or Logstash cluster as the RAM user:
https://elasticsearch.console.aliyun.com/{regionId}/instances/{instanceId}/base
https://elasticsearch.console.aliyun.com/{regionId}/logstashes/{instanceId}/base
Create a RAM user.
For more information, see Create a RAM user.
Attach the newly created custom policy whose effective scope is the Alibaba Cloud account to which the RAM user belongs to the RAM user.
For more information, see Grant permissions to a RAM user. When you attach the custom policy to the RAM user, set Resource Scope parameter to Account and select the custom policy in the Policy section.
Step 2: (Optional) Create a resource group and attach a policy whose effective scope is the resource group to the RAM user
If your cluster is in a custom resource group, skip this step.
Log on to the Resource Management console.
Create a resource group.
For more information, see Create a resource group.
Transfer the desired cluster from the default resource group to the newly created resource group.
For more information, see Transfer resources across resource groups.
Attach a policy whose effective scope is the newly created resource group to the RAM user.
For more information, see Add RAM authorization. In the Grant Permission panel, you must set Principal to the RAM user and select the system policy AliyunElasticsearchFullAccess in the Policy section.
NoteAfter the authorization is complete, the principal is granted the relevant permissions on the resources in the resource group.
Step 3: Check whether the permissions on the cluster are granted to the RAM user
Log on to the Elasticsearch console as the RAM user.
In the left-side navigation pane, click Elasticsearch Clusters.
In the top navigation bar, select the newly created resource group and view the information about the cluster.