This document has been prepared to detail the minimum and recommended role requirements specific to Apinizer integration for users and systems that wish to avoid using superuser privileges directly in Elasticsearch.

In order to create role-based users in Elasticsearch, authentication configuration must be performed. Click here for detailed information. 

Basic Operations Performed in Apinizer

FunctionElasticsearch RoleDescription
Document indexing (Writing API log)writeWriting log data to Elasticsearch
Document indexing (Writing audit logs)writeWriting audit logs to the index
Document indexing (Writing Token log )writeWriting token logs to the index
Document indexing (Writing application logs)writeWriting application logs to the index
Search operationsreadQuerying and searching log data
Get document operationsreadReading specific documents
Bulk operationswriteBatch data writing operations

Management Operations That Can Be Performed in Apinizer

FunctionElasticsearch RoleDescription
Creating/managing Index Lifecycle Policy (ILM)manage_ilmCreating and managing ILM policies
Delete Index Lifecycle Policymanage_ilmDelete ILM policies
Creating/Managing Index Templatesmanage_index_templatesCreating and managing index templates
Creating a new index (with ILM/Rollover)create_index or its more comprehensive counterpart manage (index level)Automatic or manual creation of new indexes

Monitoring Operations That Can Be Performed in Apinizer

FunctionElasticsearch RoleDescription
Cluster health checkmonitorMonitoring the health status of the cluster
Obtaining cluster statisticsmonitorReading cluster statistics
Retrieving node statisticsmonitorReading node statistics
Retrieving thread pool statisticsmonitorReading thread pool statistics
Obtaining index statisticsmonitorReading index statistics
CPU and disk usage ratesmonitorMonitoring system resource usage

Recommended Role Combinations

Minimum Requirements (Log writing/reading only)

  • write (to their own indexes)
  • read (to their own indexes)

Recommended Minimum Requirements for Stable Use of Apinizer Screens (To Use Features Such as API Proxy, ILM, Index Template, Monitoring, etc.)

  • write (to their own indexes)
  • read (to their own indexes)
  • create (to their own indexes)
  • index (to their own indexes)
  • delete (to their own indexes)
  • monitor (to their own indexes)
  • manage (to their own indexes)
  • monitor (at the cluster level)
  • manage_ilm (at the cluster level)
  • monitor (at the cluster level)

Example Role Configurations

Minimum Privilege Role (Writing/Reading Logs to Own Index, etc.)

Things to Consider in Apinizer Elasticsearch Integration

The Apinizer-Elasticsearch integration cannot be completed on the Apinizer interface when using the minimum role below. In order to complete this integration, Index templates and ILM policies must be created manually by an authorized Elasticsearch user.  Click here for detailed information.


In addition, certain configurations that can normally be performed using the interface will not be possible due to limited permissions when using minimum permissions (index rollover, etc.).


curl --request PUT \
  --url '<ELASTICSEARCH_ACCESS_URL>/_security/role/apinizer_basic?pretty=' \
  --header 'Authorization: Basic <BASE64_ENCODED_AUTH>' \
  --header 'Content-Type: application/json' \
  --data '{
  "cluster": [
    "monitor"
  ],
  "indices": [
    {
      "names": ["apinizer-log-apiproxy-<INDEX_KEY>*"],
      "privileges": ["read", "write", "create", "index", "delete","monitor"]
    }
  ]
}'
BASH

Recommended Minimum Role Requirements (with ILM, Rollover, Index Template Management)

curl --request PUT \
  --url '<ELASTICSEARCH_ACCESS_URL>/_security/role/apinizer_minimum_roles?pretty=' \
  --header 'Authorization: Basic <BASE64_ENCODED_AUTH>' \
  --header 'Content-Type: application/json' \
  --data '{
  "cluster": [
    "monitor",
		"manage_ilm",
		"manage_index_templates"
  ],
  "indices": [
    {
      "names": ["apinizer-log-apiproxy-<INDEX_KEY>*"],
      "privileges": ["read", "write", "create", "index", "delete","monitor","manage"]
    },
	{
      "names": [".monitoring-*", ".kibana*"],
      "privileges": ["read"]
	}
  ]
}'
BASH

Full Feature Role (All Management Operations)

curl --request PUT \
  --url '<ELASTICSEARCH_ACCESS_URL>/_security/role/apinizer_all_needed_roles?pretty=' \
  --header 'Authorization: Basic <BASE64_ENCODED_AUTH>' \
  --header 'Content-Type: application/json' \
  --data '{
   "cluster": [
  "monitor",
 	"manage_ilm",
 	"manage_index_templates",
 	"create_snapshot",
 	"monitor_snapshot"
   ],
   "indices": [
     {
       "names": ["apinizer-log-apiproxy-<INDEX_KEY>*"],
       "privileges": ["all"]
     },
 	{
   "names": [".monitoring-*", ".kibana*"],
   "privileges": ["read"]
 	}
 ]
}'
BASH

User Creation Example

curl --request POST \
  --url <ELASTICSEARCH_ACCESS_URL>/_security/user/apinizer_user \
  --header 'Authorization: Basic <BASE64_ENCODED_AUTH>' \
  --header 'Content-Type: application/json' \
  --data '{
	"password":"<PASSWORD>",
	"roles": ["apinizer_minimum_roles"],
	"full_name": "Apinizer Recommended User",
	"email": "<MAIL>"
}'
BASH

The Effects of Role Deficiencies on Apinizer

When you do not grant full permissions to the user you use to access Elasticsearch with Apinizer, some screen features are restricted. In this case, alternative solutions are possible.

Cluster Privileges Missing

Missing RoleThe Effect on ApinizerAlternative Solution
monitor

Cluster health cannot be checked;

CPU/disk usage cannot be viewed;

Elasticsearch status is not displayed on the dashboard.

Use manual monitoring tools.
manage_ilm

ILM policies cannot be created from the Apinizer interface;

Lifecycle management cannot be performed;

Rollover operations do not run automatically.

Create ILM policies manually. Click here for more information.
manage_index_templates

Index templates cannot be created from Apinizer;

New indexes may be created with incorrect configuration.

Define templates manually. Click here for detailed information.

Index Privileges Missing

Missing RoleThe Effect on ApinizerAlternative Solution
write

Log data cannot be written.

API traffic is not recorded.

Audit logs cannot be created.

CRITICAL - Basic functions do not work.
read

Log queries cannot be performed.

Analytics screens remain blank.

Reporting does not work.

CRITICAL - Data analysis cannot be performed.
create_index or the more comprehensive manage

New indexes cannot be created.

Initial setup cannot be completed (in ILM/rollover situation).

Manual index creation is required

Recommendation: Step-by-step Authorization

  1. Getting started: Integrate with your designated roles.
  2. When needed: Add the required roles one by one.
  3. Test: Test the relevant Apinizer feature after each role has been added.