Constrained role for fluentbit

Security
,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch and Dashboards - 2.11.0

Describe the issue:
It would be nice to have some kind of universal predefined role for log processors such as fluentbit. Especially if you want to make your installation safe and secured. For most deployments default “all_access” role is enough. But in case of possible security audit procedure permissions for every subsystem should be defined explicitly.

Configuration:
I suppose this set of action groups may be fine but grants redundant privileges:

  • index
  • create_index
  • cluster_composite_ops

Also I’ve tried to google relevant information in context of fluentbit, opensearch and even elasticsearch. But there is nothing helpful.

Any suggestions are welcome!

2

Hi @unoume,

There is a predefined logstash role that can be used as a starting point to create a role for Fluentbeat. This role will be different in every situation because the index name is not always the same.

To create a role, you need to:

  1. Log in to OpenSearch Dashboards.
  2. Go to Security > Roles.
  3. Search for the logstash role, select it, click the Actions button, and click Duplicate.
3

I found out by trial and error that such role would be enough:

{
  "description": "Fluentbit constrained role",
  "cluster_permissions": [],
  "index_permissions": [
    {
      "index_patterns": ["*"],
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "index",
        "create_index"
      ]
    }
  ],
  "tenant_permissions": []
}

At the same time logstash role has much more permissions than it’s needed.