Why I don't find logstash in roles.yml?

Miky · November 3, 2023, 6:04pm

Version: 2.10

Hello,

I have a user named logstash defined in internal_users.yml

logstash:
  hash: "$2y$12$MAP/qDbbbTmyCl9KaaaaaaaaaaaaaaaaaaaaaaadhaA6ONnl.wg.jK2"
  reserved: false
  backend_roles:
  - "logstash"
  description: "Demo logstash user, using external role mapping"

I find logstash in roles_mapping.yml

logstash:
  reserved: false
  backend_roles:
  - "logstash"

But I don’t find logstash in roles.yml, I don’t understand why considering that in roles.yml is the place where you are supposed to define cluster_permissions, index_permissions, index_patterns and allowed_actions.
Where are they stored then ?

Also, what are the right permissions to give to the user logstash ? I don’t what to give all permissions.

Thank you

Gsmitt · November 3, 2023, 11:15pm

Hey @Miky

By chance did you save you old role.yml file?

If you have the user already called logstash you can add the permission from the dashboard needed.

Miky · November 4, 2023, 6:47am

Hello,

Yes I have the “old” roles.yml. I took it from the examples.
But in it there is no logstash permissions.

I wanted to set the logstash user properly in the configuration files because when you execute securityadmin.sh it overrides what is configured in API.

Also I wanted to understand why I find the user logstash and the role_mapping logstash but there’s no link with the roles.yml permission file.

Thanks

pablo · November 6, 2023, 9:12am

@Miky This might be due to the fact that logstash is a built-in role as few others.

It is not backed up by securityadmin.sh script, that’s why you can’t see it in the roles.yml file.
However, you can find it in the roles of the running cluster.

curl --insecure -u admin:admin -XGET https://localhost:9200/_plugins/_security/api/roles/logstash?pretty

{
  "logstash" : {
    "reserved" : true,
    "hidden" : false,
    "description" : "Provide the minimum permissions for logstash and beats",
    "cluster_permissions" : [
      "cluster_monitor",
      "cluster_composite_ops",
      "indices:admin/template/get",
      "indices:admin/template/put",
      "cluster:admin/ingest/pipeline/put",
      "cluster:admin/ingest/pipeline/get"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "logstash-*"
        ],
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "crud",
          "create_index"
        ]
      },
      {
        "index_patterns" : [
          "*beat*"
        ],
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "crud",
          "create_index"
        ]
      }
    ],
    "tenant_permissions" : [ ],
    "static" : true
  }
}

If you’d like to use this role with a different user, you can either duplicate it through OpenSearch Dashboards or assign logstash as backend_role to your custom user.