Elasticsearch Authorization Requirements
This document has been prepared to detail the minimum and recommended role requirements specific to Apinizer integration for users and systems that wish to avoid using superuser privileges directly in Elasticsearch.
In order to create role-based users in Elasticsearch, authentication configuration must be performed. Click here for detailed information.
Basic Operations Performed in Apinizer
Function | Elasticsearch Role | Description |
---|---|---|
Document indexing (Writing API log) | write | Writing log data to Elasticsearch |
Document indexing (Writing audit logs) | write | Writing audit logs to the index |
Document indexing (Writing Token log ) | write | Writing token logs to the index |
Document indexing (Writing application logs) | write | Writing application logs to the index |
Search operations | read | Querying and searching log data |
Get document operations | read | Reading specific documents |
Bulk operations | write | Batch data writing operations |
Management Operations That Can Be Performed in Apinizer
Function | Elasticsearch Role | Description |
---|---|---|
Creating/managing Index Lifecycle Policy (ILM) | manage_ilm | Creating and managing ILM policies |
Delete Index Lifecycle Policy | manage_ilm | Delete ILM policies |
Creating/Managing Index Templates | manage_index_templates | Creating and managing index templates |
Creating a new index (with ILM/Rollover) | create_index or its more comprehensive counterpart manage (index level) | Automatic or manual creation of new indexes |
Monitoring Operations That Can Be Performed in Apinizer
Function | Elasticsearch Role | Description |
---|---|---|
Cluster health check | monitor | Monitoring the health status of the cluster |
Obtaining cluster statistics | monitor | Reading cluster statistics |
Retrieving node statistics | monitor | Reading node statistics |
Retrieving thread pool statistics | monitor | Reading thread pool statistics |
Obtaining index statistics | monitor | Reading index statistics |
CPU and disk usage rates | monitor | Monitoring system resource usage |
Recommended Role Combinations
Minimum Requirements (Log writing/reading only)
write
(to their own indexes)read
(to their own indexes)
Recommended Minimum Requirements for Stable Use of Apinizer Screens (To Use Features Such as API Proxy, ILM, Index Template, Monitoring, etc.)
write
(to their own indexes)read
(to their own indexes)create
(to their own indexes)index
(to their own indexes)delete
(to their own indexes)monitor
(to their own indexes)manage
(to their own indexes)monitor
(at the cluster level)manage_ilm
(at the cluster level)monitor
(at the cluster level)
Example Role Configurations
Minimum Privilege Role (Writing/Reading Logs to Own Index, etc.)
Things to Consider in Apinizer Elasticsearch Integration
The Apinizer-Elasticsearch integration cannot be completed on the Apinizer interface when using the minimum role below. In order to complete this integration, Index templates and ILM policies must be created manually by an authorized Elasticsearch user. Click here for detailed information.
In addition, certain configurations that can normally be performed using the interface will not be possible due to limited permissions when using minimum permissions (index rollover, etc.).
curl --request PUT \
--url '<ELASTICSEARCH_ACCESS_URL>/_security/role/apinizer_basic?pretty=' \
--header 'Authorization: Basic <BASE64_ENCODED_AUTH>' \
--header 'Content-Type: application/json' \
--data '{
"cluster": [
"monitor"
],
"indices": [
{
"names": ["apinizer-log-apiproxy-<INDEX_KEY>*"],
"privileges": ["read", "write", "create", "index", "delete","monitor"]
}
]
}'
Recommended Minimum Role Requirements (with ILM, Rollover, Index Template Management)
curl --request PUT \
--url '<ELASTICSEARCH_ACCESS_URL>/_security/role/apinizer_minimum_roles?pretty=' \
--header 'Authorization: Basic <BASE64_ENCODED_AUTH>' \
--header 'Content-Type: application/json' \
--data '{
"cluster": [
"monitor",
"manage_ilm",
"manage_index_templates"
],
"indices": [
{
"names": ["apinizer-log-apiproxy-<INDEX_KEY>*"],
"privileges": ["read", "write", "create", "index", "delete","monitor","manage"]
},
{
"names": [".monitoring-*", ".kibana*"],
"privileges": ["read"]
}
]
}'
Full Feature Role (All Management Operations)
curl --request PUT \
--url '<ELASTICSEARCH_ACCESS_URL>/_security/role/apinizer_all_needed_roles?pretty=' \
--header 'Authorization: Basic <BASE64_ENCODED_AUTH>' \
--header 'Content-Type: application/json' \
--data '{
"cluster": [
"monitor",
"manage_ilm",
"manage_index_templates",
"create_snapshot",
"monitor_snapshot"
],
"indices": [
{
"names": ["apinizer-log-apiproxy-<INDEX_KEY>*"],
"privileges": ["all"]
},
{
"names": [".monitoring-*", ".kibana*"],
"privileges": ["read"]
}
]
}'
User Creation Example
curl --request POST \
--url <ELASTICSEARCH_ACCESS_URL>/_security/user/apinizer_user \
--header 'Authorization: Basic <BASE64_ENCODED_AUTH>' \
--header 'Content-Type: application/json' \
--data '{
"password":"<PASSWORD>",
"roles": ["apinizer_minimum_roles"],
"full_name": "Apinizer Recommended User",
"email": "<MAIL>"
}'
The Effects of Role Deficiencies on Apinizer
When you do not grant full permissions to the user you use to access Elasticsearch with Apinizer, some screen features are restricted. In this case, alternative solutions are possible.
Cluster Privileges Missing
Missing Role | The Effect on Apinizer | Alternative Solution |
---|---|---|
monitor | Cluster health cannot be checked; CPU/disk usage cannot be viewed; Elasticsearch status is not displayed on the dashboard. | Use manual monitoring tools. |
manage_ilm | ILM policies cannot be created from the Apinizer interface; Lifecycle management cannot be performed; Rollover operations do not run automatically. | Create ILM policies manually. Click here for more information. |
manage_index_templates | Index templates cannot be created from Apinizer; New indexes may be created with incorrect configuration. | Define templates manually. Click here for detailed information. |
Index Privileges Missing
Missing Role | The Effect on Apinizer | Alternative Solution |
---|---|---|
write | Log data cannot be written. API traffic is not recorded. Audit logs cannot be created. | CRITICAL - Basic functions do not work. |
read | Log queries cannot be performed. Analytics screens remain blank. Reporting does not work. | CRITICAL - Data analysis cannot be performed. |
create_index or the more comprehensive manage | New indexes cannot be created. Initial setup cannot be completed (in ILM/rollover situation). | Manual index creation is required |
Recommendation: Step-by-step Authorization
- Getting started: Integrate with your designated roles.
- When needed: Add the required roles one by one.
- Test: Test the relevant Apinizer feature after each role has been added.