Grant users access to secured resourcesedit
You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.
Typically you need the create the following separate roles:
- setup role for setting up index templates and other dependencies
- monitoring role for sending monitoring information
- writer role for publishing events collected by APM Server
- reader role for Kibana users who need to view and create visualizations that access APM Server data
X-Pack security provides built-in roles that grant a subset of the privileges needed by APM Server users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.
Grant privileges and roles needed for setupedit
Setting up APM Server is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a less restrictive role for event publishing.
Administrators who set up APM Server typically need to load mappings, dashboards, and other objects used to index data into Elasticsearch and visualize it in Kibana.
To grant users the required privileges:
-
Create a setup role, called something like
apm_setup, that has the following privileges:Type Privilege Purpose Cluster
monitorRetrieve cluster details (e.g. version)
Index
manageonapm-*indicesSet up aliases used by ILM
Omit any privileges that aren’t relevant in your environment.
These instructions assume that you are using the default name for APM Server indices. If you are using a custom name, modify the privileges to match your index naming pattern.
-
Assign the setup role, along with the following built-in roles, to users who need to set up APM Server:
Role Purpose kibana_userLoad dependencies, such as example dashboards, if available, into Kibana
ingest_adminSet up index templates and, if available, ingest pipelines
ingest_adminSet up ingest pipelines
Omit any roles that aren’t relevant in your environment.
Grant privileges and roles needed for monitoringedit
X-Pack security provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.
Important note for Elastic Cloud users
Built-in users are not available when running our hosted Elasticsearch Service on Elastic Cloud. To send monitoring data securely, create a monitoring user and grant it the roles described in the following sections.
-
If you’re using internal collection to collect metrics about APM Server, X-Pack security provides the
apm_systembuilt-in user andapm_systembuilt-in role to send monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to send monitoring information.If you use the
apm_systemuser, make sure you set the password.If you don’t use the
apm_systemuser:-
Create a monitoring role, called something like
apm_monitoring, that has the following privileges:Type Privilege Purpose Cluster
monitorRetrieve cluster details (e.g. version)
Index
create_indexon.monitoring-beats-*indicesCreate monitoring indices in Elasticsearch
Index
create_docon.monitoring-beats-*indicesWrite monitoring events into Elasticsearch
-
Assign the monitoring role, along with the following built-in roles, to users who need to monitor APM Server:
Role Purpose kibana_userUse Kibana
monitoring_userUse Stack Monitoring in Kibana to monitor APM Server
-
-
If you’re using Metricbeat to collect metrics about APM Server, X-Pack security provides the
remote_monitoring_userbuilt-in user, and theremote_monitoring_collectorandremote_monitoring_agentbuilt-in roles for collecting and sending monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to collect and send monitoring information.If you use the
remote_monitoring_useruser, make sure you set the password.If you don’t use the
remote_monitoring_useruser:- Create a user on the production cluster who will collect and send monitoring information.
-
Assign the following roles to the user:
Role Purpose remote_monitoring_collectorCollect monitoring metrics from APM Server
remote_monitoring_agentSend monitoring data to the monitoring cluster
-
Assign the following role to users who will view the monitoring data in Kibana:
Role Purpose monitoring_userUse Stack Monitoring in Kibana to monitor APM Server
Grant privileges and roles needed for publishingedit
Users who publish events to Elasticsearch need to create and write to APM Server indices. To minimize the privileges required by the writer role, use the setup role to pre-load dependencies. This section assumes that you’ve pre-loaded dependencies.
To grant the required privileges:
-
Create a writer role, called something like
apm_writer, that has the following privileges:The
monitorcluster privilege and thecreate_docprivilege onapm-*indices are required in every configuration.Type Privilege Purpose Index
create_doconapm-*indicesWrite events into Elasticsearch
Index
create_indexonapm-*indicesCreate daily indices when connecting to clusters that do not support ILM. Not needed when using ILM.
- Assign the writer role to users who will index events into Elasticsearch.
Grant privileges and roles needed to read APM Server dataedit
Kibana users typically need to view dashboards and visualizations that contain APM Server data. These users might also need to create and edit dashboards and visualizations.
To grant users the required privileges:
-
Assign the following built-in roles to users who need to read APM Server data:
Role Purpose kibana_userandapm_userUse the APM UI
adminRead and update APM Agent configuration via Kibana
Learn more about users and rolesedit
Want to learn more about creating users and roles? See Securing the Elastic Stack. Also see:
- Security privileges for a description of available privileges
- Built-in roles for a description of roles that you can assign to users