elasticsearch Logstash无法索引到ES:'操作[indexes:admin/auto_create]未授权给用户'

8yparm6h  于 2022-11-22  发布在  ElasticSearch
关注(0)|答案(1)|浏览(531)

我创建了一个具有以下角色的用户demoTester

/usr/share/elasticsearch/bin/elasticsearch-users useradd demoTester -p demoTester -r kibana_admin,logstash_admin,beats_admin,logstash_system,monitoring_user,watcher_admin,editor,machine_learning_admin

当我运行我的部署脚本时,我可以看到Logstash正在监听端口5044,并且正在发送日志,但是用户demoTester无法索引到ES中。我已经阅读了有关如何创建权限的文档,但是示例对我来说并不清楚。我不是通过Kibana UI创建的,我是通过脚本自动执行所有操作的。

error=>{"type"=>"security_exception", "reason"=>"action [indices:admin/auto_create] is unauthorized for user [demotester] with roles [watcher_admin,editor,monitoring_user,logstash_system,beats_admin,machine_learning_admin,kibana_admin,logstash_admin] on indices [demo-2022.10.27], this action is granted by the index privileges [auto_configure,create_index,manage,all]"}}

下面是我的logstash conf文件:

input {
  beats {
    port => 5044
  }
}
output {
    elasticsearch {
      ssl => true
      ssl_certificate_verification => true
      cacert => '/etc/logstash/certs/http_ca.crt'
      user => demoTester
      password => demoTester
      hosts => ["https://10.0.8.19:9200"]
      index =>"demo-%{+YYYY.MM.dd}"
    }
}
bf1o4zei

bf1o4zei1#

demoTester用户没有demo-2022.10.27索引的create_index权限。
最简单的方法是将超级用户角色添加到demoTester用户中,但该角色仅用于演示目的。
安全的方法是为demo* 索引创建一个具有create_index权限的角色,并将该角色分配给demoTester用户。
要创建角色,可以使用re调用_security/role api(https://www.elastic.co/guide/en/elasticsearch/reference/8.4/security-api-put-role.html

POST /_security/role/my_admin_role
{
    "indices" : [
      {
        "names" : [
          "demo*"
        ],
        "privileges" : [
          "create_index",
          "write",
          "create"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
        "enabled" : true
    }
}

然后将角色分配给demoTester用户。

相关问题