全部產品
Search
文件中心

Elasticsearch:阿里雲ES服務關聯角色

更新時間:Jun 30, 2024

在Elasticsearch(簡稱ES)中,通過PrivateLink的終端節點實現Kibana或執行個體的私網訪問、管理Beats採集器、手動進行資料備份恢複時,需要通過RAM角色扮演(服務關聯角色)的方式訪問其他雲端服務的資源。在您執行上述特定操作時,如果未建立過對應的服務關聯角色,系統將自動為您建立。本文將對ES的服務關聯角色進行介紹,並介紹如何刪除服務關聯角色。

應用情境

服務關聯角色的應用情境如下:

  • AliyunServiceRoleForElasticsearch:需要在使用者VPC中訪問雲原生管控的ES節點或Kibana時。

  • AliyunServiceRoleForElasticsearchCollector:建立和管理Beats採集器時。

  • AliyunServiceRoleForElasticsearchOSS :手動備份或恢複資料,需要使用自動授權功能關聯自訂OSS Bucket時。

關於服務關聯角色的詳細資料,請參見服務關聯角色

ES服務關聯角色介紹

AliyunServiceRoleForElasticsearch

當您需要在VPC內訪問雲原生管控ES執行個體的節點或Kibana時,如果不存在具有執行任務許可權的角色,ES將自動建立對應角色(服務關聯角色),並為該角色授予相應的許可權。ES通過扮演該角色調用私網串連PrivateLink或ECS網路設定相關的API,為您建立如終端節點等資源並完成相關配置,以滿足您Kibana私網訪問等需求。該角色的相關說明如下:

  • 角色名稱:AliyunServiceRoleForElasticsearch

  • 角色權限原則名稱:AliyunServiceRolePolicyForElasticsearch

  • 角色權限原則內容:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:AssignIpv6Addresses",
        "ecs:AssignPrivateIpAddresses",
        "ecs:AttachNetworkInterface",
        "ecs:AuthorizeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:CreateNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteNetworkInterface",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeInstanceAttribute",
        "ecs:DescribeInstances",
        "ecs:DescribeNetworkInterfaceAttribute",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:DescribeSecurityGroups",
        "ecs:DetachNetworkInterface",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:ModifySecurityGroupAttribute",
        "ecs:ModifySecurityGroupEgressRule",
        "ecs:ModifySecurityGroupPolicy",
        "ecs:ModifySecurityGroupRule",
        "ecs:RevokeSecurityGroup",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:UnassignIpv6Addresses",
        "ecs:UnassignPrivateIpAddresses"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "pvtz:AddZone",
        "pvtz:AddZoneRecord",
        "pvtz:DeleteZone",
        "pvtz:DeleteZoneRecord",
        "pvtz:DescribeZoneRecords",
        "pvtz:UpdateZoneRecord"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "privatelink:CreateVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:UpdateVpcEndpointAttribute",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:ListVpcEndpointSecurityGroups",
        "privatelink:AttachSecurityGroupToVpcEndpoint",
        "privatelink:DetachSecurityGroupFromVpcEndpoint",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:ListVpcEndpointZones",
        "privatelink:DeleteVpcEndpoint"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "elasticsearch.aliyuncs.com"
        }
      }
    }
  ]
}

服務名稱:elasticsearch.aliyuncs.com

執行服務關聯角色操作所需的使用者權限:ram:CreateServiceLinkedRole

AliyunServiceRoleForElasticsearchCollector

建立和管理Beats採集器時,如果不存在具有執行任務許可權的角色,ES將自動建立對應角色(服務關聯角色),並為該角色授予相應的許可權。ES通過扮演該角色即可調用OpenAPI,完成Beats採集器在ECS或Kubernetes版ACK目標機器上的資料擷取任務。該角色的相關說明如下:

  • 角色名稱:AliyunServiceRoleForElasticsearchCollector

  • 角色權限原則名稱:AliyunServiceRolePolicyForElasticsearchCollector

  • 角色權限原則內容:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "oos:CancelExecution",
                    "oos:DeleteExecutions",
                    "oos:GenerateExecutionPolicy",
                    "oos:GetExecutionTemplate",
                    "oos:ListExecutionLogs",
                    "oos:ListExecutions",
                    "oos:ListTaskExecutions",
                    "oos:NotifyExecution",
                    "oos:StartExecution",
                    "oos:ListTagResources",
                    "oos:TagResources",
                    "oos:UntagResources",
                    "oos:CreateTemplate",
                    "oos:DeleteTemplate",
                    "oos:GetTemplate",
                    "oos:ListExecutionRiskyTasks",
                    "oos:ListTemplates",
                    "oos:UpdateTemplate"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeCloudAssistantStatus"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "cs:GetUserConfig",
                    "cs:GetClusters",
                    "cs:GetClusterById"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "collector.elasticsearch.aliyuncs.com"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "ram:PassRole",
                "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole",
                "Condition": {
                    "StringEquals": {
                        "acs:Service": "oos.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • 服務名稱:collector.elasticsearch.aliyuncs.com

  • 執行服務關聯角色操作所需的使用者權限:ram:CreateServiceLinkedRole

AliyunServiceRoleForElasticsearchOSS

當您需要使用您的OSS進行資料備份和恢複資料時,如果不存在具有執行任務許可權的角色,ES將自動建立對應角色(服務關聯角色),並為該角色授予相應的許可權。ES通過扮演該角色通過OpenAPI訪問您的OSS bucket,完成將資料備份或資料恢複的任務。該角色的相關說明如下:

  • 角色名稱:AliyunServiceRoleForElasticsearchOSS

  • 角色權限原則名稱:AliyunServiceRolePolicyForElasticsearchOSS

  • 角色權限原則內容:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListObjects",
        "oss:GetObject",
        "oss:GetObjectVersion",
        "oss:GetObjectVersionTagging",
        "oss:GetObjectMeta",
        "oss:DeleteObject",
        "oss:PutObject",
        "oss:GetBucketVersioning",
        "oss:GetBucketInfo",
        "oss:GetBucketAcl"
      ],
      "Resource": [
        "acs:oss:*:*:es-alicloud-*/*",
        "acs:oss:*:*:es-alicloud-*",
        "acs:oss:*:*:*/*es-alicloud*/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListObjects",
        "oss:GetObject",
        "oss:GetObjectMeta",
        "oss:GetObjectVersion",
        "oss:GetObjectVersionTagging",
        "oss:DeleteObject",
        "oss:PutObject",
        "oss:GetBucketVersioning",
        "oss:GetBucketInfo",
        "oss:GetBucketAcl"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "oss:BucketTag/es-alicloud": [
            "es-alicloud"
          ]
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "oss.elasticsearch.aliyuncs.com"
        }
      }
    }
  ]
}

服務名稱:oss.elasticsearch.aliyuncs.com

執行服務關聯角色操作所需的使用者權限:ram:CreateServiceLinkedRole

刪除服務關聯角色

刪除服務角色前,需要先刪除依賴這個服務角色的所有任務或裝置。刪除服務關聯角色的具體操作,請參見刪除服務關聯角色

常見問題

Q:為什麼我的RAM使用者無法建立ES的服務關聯角色?

A:阿里雲帳號或擁有CreateServiceLinkedRole許可權的RAM使用者,才能建立或刪除服務關聯角色。RAM使用者無法自動建立服務關聯角色時,需要手動為其添加以下權限原則。具體操作,請參見為RAM使用者授權

{
    "Version": "1",
    "Statement": [
        {
            "Action": "elasticsearch:InitializeOperationRole",
            "Resource": "acs:ram:*:133071096032****:role/*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "acs:ram:*:133071096032****:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "XXX.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}
  • Resource中的值133071096032****需要替換為您的阿里雲帳號ID。

    阿里雲帳號ID的擷取方法:滑鼠移至控制台右上方的帳戶圖片上,即可查看到帳號ID

  • ram:ServiceName中的值XXX.aliyuncs.com需要替換為對應服務關聯角色的ram:ServiceName。

    • AliyunServiceRoleForElasticsearch(開啟ES執行個體的Kibana私網訪問功能):elasticsearch.aliyuncs.com

    • AliyunServiceRoleForElasticsearchCollector(建立和管理Beats採集器):collector.elasticsearch.aliyuncs.com

    • AliyunServiceRoleForElasticsearchOSS(手動進行資料備份和恢複資料):oss.elasticsearch.aliyuncs.com