在Elasticsearch(簡稱ES)中,通過PrivateLink的終端節點實現Kibana或執行個體的私網訪問、管理Beats採集器、手動進行資料備份恢複時,需要通過RAM角色扮演(服務關聯角色)的方式訪問其他雲端服務的資源。在您執行上述特定操作時,如果未建立過對應的服務關聯角色,系統將自動為您建立。本文將對ES的服務關聯角色進行介紹,並介紹如何刪除服務關聯角色。
應用情境
服務關聯角色的應用情境如下:
AliyunServiceRoleForElasticsearch:需要在使用者VPC中訪問雲原生管控的ES節點或Kibana時。
AliyunServiceRoleForElasticsearchCollector:建立和管理Beats採集器時。
AliyunServiceRoleForElasticsearchOSS :手動備份或恢複資料,需要使用自動授權功能關聯自訂OSS Bucket時。
關於服務關聯角色的詳細資料,請參見服務關聯角色。
ES服務關聯角色介紹
AliyunServiceRoleForElasticsearch
當您需要在VPC內訪問雲原生管控ES執行個體的節點或Kibana時,如果不存在具有執行任務許可權的角色,ES將自動建立對應角色(服務關聯角色),並為該角色授予相應的許可權。ES通過扮演該角色調用私網串連PrivateLink或ECS網路設定相關的API,為您建立如終端節點等資源並完成相關配置,以滿足您Kibana私網訪問等需求。該角色的相關說明如下:
角色名稱:AliyunServiceRoleForElasticsearch
角色權限原則名稱:AliyunServiceRolePolicyForElasticsearch
角色權限原則內容:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AssignIpv6Addresses",
"ecs:AssignPrivateIpAddresses",
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteSecurityGroup",
"ecs:DescribeInstanceAttribute",
"ecs:DescribeInstances",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DetachNetworkInterface",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupEgressRule",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:UnassignIpv6Addresses",
"ecs:UnassignPrivateIpAddresses"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"pvtz:AddZone",
"pvtz:AddZoneRecord",
"pvtz:DeleteZone",
"pvtz:DeleteZoneRecord",
"pvtz:DescribeZoneRecords",
"pvtz:UpdateZoneRecord"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:DeleteVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "elasticsearch.aliyuncs.com"
}
}
}
]
}
服務名稱:elasticsearch.aliyuncs.com
執行服務關聯角色操作所需的使用者權限:ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchCollector
建立和管理Beats採集器時,如果不存在具有執行任務許可權的角色,ES將自動建立對應角色(服務關聯角色),並為該角色授予相應的許可權。ES通過扮演該角色即可調用OpenAPI,完成Beats採集器在ECS或Kubernetes版ACK目標機器上的資料擷取任務。該角色的相關說明如下:
角色名稱:AliyunServiceRoleForElasticsearchCollector
角色權限原則名稱:AliyunServiceRolePolicyForElasticsearchCollector
角色權限原則內容:
{ "Version": "1", "Statement": [ { "Action": [ "oos:CancelExecution", "oos:DeleteExecutions", "oos:GenerateExecutionPolicy", "oos:GetExecutionTemplate", "oos:ListExecutionLogs", "oos:ListExecutions", "oos:ListTaskExecutions", "oos:NotifyExecution", "oos:StartExecution", "oos:ListTagResources", "oos:TagResources", "oos:UntagResources", "oos:CreateTemplate", "oos:DeleteTemplate", "oos:GetTemplate", "oos:ListExecutionRiskyTasks", "oos:ListTemplates", "oos:UpdateTemplate" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cs:GetUserConfig", "cs:GetClusters", "cs:GetClusterById" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "collector.elasticsearch.aliyuncs.com" } } }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole", "Condition": { "StringEquals": { "acs:Service": "oos.aliyuncs.com" } } } ] }
服務名稱:collector.elasticsearch.aliyuncs.com
執行服務關聯角色操作所需的使用者權限:ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchOSS
當您需要使用您的OSS進行資料備份和恢複資料時,如果不存在具有執行任務許可權的角色,ES將自動建立對應角色(服務關聯角色),並為該角色授予相應的許可權。ES通過扮演該角色通過OpenAPI訪問您的OSS bucket,完成將資料備份或資料恢複的任務。該角色的相關說明如下:
角色名稱:AliyunServiceRoleForElasticsearchOSS
角色權限原則名稱:AliyunServiceRolePolicyForElasticsearchOSS
角色權限原則內容:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:GetObjectVersion",
"oss:GetObjectVersionTagging",
"oss:GetObjectMeta",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetBucketVersioning",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": [
"acs:oss:*:*:es-alicloud-*/*",
"acs:oss:*:*:es-alicloud-*",
"acs:oss:*:*:*/*es-alicloud*/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:GetObjectMeta",
"oss:GetObjectVersion",
"oss:GetObjectVersionTagging",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetBucketVersioning",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"oss:BucketTag/es-alicloud": [
"es-alicloud"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "oss.elasticsearch.aliyuncs.com"
}
}
}
]
}
服務名稱:oss.elasticsearch.aliyuncs.com
執行服務關聯角色操作所需的使用者權限:ram:CreateServiceLinkedRole
刪除服務關聯角色
刪除服務角色前,需要先刪除依賴這個服務角色的所有任務或裝置。刪除服務關聯角色的具體操作,請參見刪除服務關聯角色。
常見問題
Q:為什麼我的RAM使用者無法建立ES的服務關聯角色?
A:阿里雲帳號或擁有CreateServiceLinkedRole
許可權的RAM使用者,才能建立或刪除服務關聯角色。RAM使用者無法自動建立服務關聯角色時,需要手動為其添加以下權限原則。具體操作,請參見為RAM使用者授權。
{
"Version": "1",
"Statement": [
{
"Action": "elasticsearch:InitializeOperationRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"XXX.aliyuncs.com"
]
}
}
}
]
}
Resource中的值
133071096032****
需要替換為您的阿里雲帳號ID。阿里雲帳號ID的擷取方法:滑鼠移至控制台右上方的帳戶圖片上,即可查看到帳號ID。
ram:ServiceName中的值
XXX.aliyuncs.com
需要替換為對應服務關聯角色的ram:ServiceName。AliyunServiceRoleForElasticsearch(開啟ES執行個體的Kibana私網訪問功能):elasticsearch.aliyuncs.com
AliyunServiceRoleForElasticsearchCollector(建立和管理Beats採集器):collector.elasticsearch.aliyuncs.com
AliyunServiceRoleForElasticsearchOSS(手動進行資料備份和恢複資料):oss.elasticsearch.aliyuncs.com