Grant users access to secured resources
editGrant users access to secured resources
editYou can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.
Typically you need the create the following separate roles:
- setup role for setting up index templates and other dependencies
- monitoring role for sending monitoring information
- writer role for publishing events collected by Filebeat
- reader role for Kibana users who need to view and create visualizations that access Filebeat data
X-Pack security provides built-in roles that grant a subset of the privileges needed by Filebeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.
Grant privileges and roles needed for setup
editSetting up Filebeat is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a less restrictive role for event publishing.
Administrators who set up Filebeat typically need to load mappings, dashboards, and other objects used to index data into Elasticsearch and visualize it in Kibana.
To grant users the required privileges:
-
Create a setup role, called something like
filebeat_setup
, that has the following privileges:Privileges Why needed? monitor
Send monitoring data to the cluster
manage_ilm
Set up and manage index lifecycle management (ILM) policy
manage_ml
Set up machine learning job configurations
manage
onfilebeat-*
indicesSet up aliases used by ILM
read
onfilebeat-*
indicesRead Filebeat indices in order to set up machine learning jobs
Omit any privileges that aren’t relevant in your environment.
These instructions assume that you are using the default name for Filebeat indices. If you are using a custom name, modify the privileges to match your index naming pattern.
-
Assign the setup role, along with the following built-in roles, to users who need to set up Filebeat:
Roles Why needed? kibana_user
Load dependencies, such as example dashboards, if available, into Kibana
ingest_admin
Set up index templates and, if available, ingest pipelines
beats_admin
Enroll and manage configurations in Beats central management
Omit any roles that aren’t relevant in your environment.
Grant privileges and roles needed for monitoring
editX-Pack security provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.
Internal collection
editFor internal collection, X-Pack security
provides the filebeat_system
built-in user and
filebeat_system
built-in
role for sending monitoring information. You can use the built-in user, or
create a user who has the privileges needed to send monitoring information.
If you use the filebeat_system
user, make sure you
set the password.
If you don’t use the filebeat_system
user:
-
Create a monitoring role, called something like
filebeat_monitoring
, that has the following privileges:Privileges Why needed? monitor
Send monitoring info
kibana_user
Use Kibana
-
Assign the monitoring role, along with the following built-in role, to users who need to monitor Filebeat:
Role Why needed? monitoring_user
Use Stack Monitoring in Kibana to monitor Filebeat
Metricbeat collection
editFor Metricbeat collection, X-Pack security
provides the remote_monitoring_user
built-in
user, and the remote_monitoring_collector
and remote_monitoring_agent
built-in roles for collecting and sending
monitoring information. You can use the built-in user, or
create a user who has the privileges needed to collect and send monitoring
information.
If you use the remote_monitoring_user
user, make sure you
set the password.
If you don’t use the remote_monitoring_user
user:
- Create a user on the production cluster who will collect and send monitoring information.
-
Assign the following roles to the user:
Role Why needed? remote_monitoring_collector
Collect monitoring metrics from Filebeat
remote_monitoring_agent
Send monitoring data to the monitoring cluster
- Assign the following role to users who will view the monitoring data in Kibana:
Role | Why needed? |
---|---|
|
Use Stack Monitoring in Kibana to monitor Filebeat |
Grant privileges and roles needed for publishing
editUsers who publish events to Elasticsearch need to create and read from Filebeat indices. To minimize the privileges required by the writer role, you can use the setup role to pre-load dependencies. Then turn off setup options in the Filebeat config file before running Filebeat to publish events. For example:
To grant the required privileges:
-
Create a writer role, called something like
filebeat_writer
, that has the following privileges (this list assumes the setup options shown earlier are set tofalse
):Privileges Why needed? monitor
Send monitoring info
read_ilm
Read the ILM policy when connecting to clusters that support ILM
manage_pipeline
Load ingest pipelines used by modules
view_index_metadata
onfilebeat-*
indicesCheck for alias when connecting to clusters that support ILM
index
onfilebeat-*
indicesIndex events into Elasticsearch
create_index
onfilebeat-*
indicesCreate daily indices when connecting to clusters that do not support ILM
Omit any privileges that aren’t relevant in your environment.
- Assign the writer role to users who will index events into Elasticsearch.
Grant privileges and roles needed to read Filebeat data
editKibana users typically need to view dashboards and visualizations that contain Filebeat data. These users might also need to create and edit dashboards and visualizations. If you’re using Beats central management, some of these users might need to create and manage configurations.
To grant users the required privileges:
-
Create a reader role, called something like
filebeat_reader
, that has the following privilege:Privilege Why needed? read
onfilebeat-*
indicesRead data indexed by Filebeat
-
Assign the reader role, along with the following built-in roles, to users who need to read Filebeat data:
Roles Why needed? kibana_user
orkibana_dashboard_only_user
Use Kibana.
kibana_dashboard_only_user
grants read-only access to dashboards.beats_admin
Create and manage configurations in Beats central management. Only assign this role to users who need to use Beats central management.
Omit any roles that aren’t relevant in your environment.
Learn more about users and roles
editWant to learn more about creating users and roles? See Securing the Elastic Stack. Also see:
- Security privileges for a description of available privileges
- Built-in roles for a description of roles that you can assign to users