Constrained role for fluentbit

unoume · March 11, 2025, 12:11pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch and Dashboards - 2.11.0

Describe the issue:
It would be nice to have some kind of universal predefined role for log processors such as fluentbit. Especially if you want to make your installation safe and secured. For most deployments default “all_access” role is enough. But in case of possible security audit procedure permissions for every subsystem should be defined explicitly.

Configuration:
I suppose this set of action groups may be fine but grants redundant privileges:

index
create_index
cluster_composite_ops

Also I’ve tried to google relevant information in context of fluentbit, opensearch and even elasticsearch. But there is nothing helpful.

Any suggestions are welcome!

Eugene7 · March 12, 2025, 4:22pm

Hi @unoume,

There is a predefined logstash role that can be used as a starting point to create a role for Fluentbeat. This role will be different in every situation because the index name is not always the same.

To create a role, you need to:

Log in to OpenSearch Dashboards.
Go to Security > Roles.
Search for the logstash role, select it, click the Actions button, and click Duplicate.

Topic		Replies	Views
Unable to find the predefined role Security	1	378	February 7, 2023
Read Only Accounts Security configure	5	374	February 14, 2024
Roles and users Security configure	2	477	April 27, 2022
Roles Troubleshooting - OpenSearch Dashboard "Security" unavailable OpenSearch troubleshoot	7	47	December 5, 2024
Permissions for fluent-bit writes Security	5	3362	January 2, 2022

Constrained role for fluentbit

Related topics