Grant users access to secured resourcesedit

You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.

Typically you need the create the following separate roles:

  • setup role for setting up index templates and other dependencies
  • monitoring role for sending monitoring information
  • writer role for publishing events collected by Packetbeat
  • reader role for Kibana users who need to view and create visualizations that access Packetbeat data

X-Pack security provides built-in roles that grant a subset of the privileges needed by Packetbeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.

Grant privileges and roles needed for setupedit

Important

Setting up Packetbeat is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a less restrictive role for event publishing.

Administrators who set up Packetbeat typically need to load mappings, dashboards, and other objects used to index data into Elasticsearch and visualize it in Kibana.

To grant users the required privileges:

  1. Create a setup role, called something like packetbeat_setup, that has the following privileges:

    PrivilegesWhy needed?

    monitor

    Send monitoring data to the cluster

    manage_ilm

    Set up and manage index lifecycle management (ILM) policy

    manage_ml

    Set up machine learning job configurations

    manage on packetbeat-* indices

    Set up aliases used by ILM

    read on packetbeat-* indices

    Read Packetbeat indices in order to set up machine learning jobs

    Omit any privileges that aren’t relevant in your environment.

    Note

    These instructions assume that you are using the default name for Packetbeat indices. If you are using a custom name, modify the privileges to match your index naming pattern.

  2. Assign the setup role, along with the following built-in roles, to users who need to set up Packetbeat:

    RolesWhy needed?

    kibana_user

    Load dependencies, such as example dashboards, if available, into Kibana

    ingest_admin

    Set up index templates and, if available, ingest pipelines

    Omit any roles that aren’t relevant in your environment.

Grant privileges and roles needed for monitoringedit

X-Pack security provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.

Internal collectionedit

For internal collection, X-Pack security provides the packetbeat_system built-in user and packetbeat_system built-in role for sending monitoring information. You can use the built-in user, or create a user who has the privileges needed to send monitoring information.

If you use the packetbeat_system user, make sure you set the password.

If you don’t use the packetbeat_system user:

  1. Create a monitoring role, called something like packetbeat_monitoring, that has the following privileges:

    PrivilegesWhy needed?

    monitor

    Send monitoring info

    kibana_user

    Use Kibana

  2. Assign the monitoring role, along with the following built-in role, to users who need to monitor Packetbeat:

    RoleWhy needed?

    monitoring_user

    Use Stack Monitoring in Kibana to monitor Packetbeat

Metricbeat collectionedit

For Metricbeat collection, X-Pack security provides the remote_monitoring_user built-in user, and the remote_monitoring_collector and remote_monitoring_agent built-in roles for collecting and sending monitoring information. You can use the built-in user, or create a user who has the privileges needed to collect and send monitoring information.

If you use the remote_monitoring_user user, make sure you set the password.

If you don’t use the remote_monitoring_user user:

  1. Create a user on the production cluster who will collect and send monitoring information.
  2. Assign the following roles to the user:

    RoleWhy needed?

    remote_monitoring_collector

    Collect monitoring metrics from Packetbeat

    remote_monitoring_agent

    Send monitoring data to the monitoring cluster

  3. Assign the following role to users who will view the monitoring data in Kibana:
RoleWhy needed?

monitoring_user

Use Stack Monitoring in Kibana to monitor Packetbeat

Grant privileges and roles needed for publishingedit

Users who publish events to Elasticsearch need to create and read from Packetbeat indices. To minimize the privileges required by the writer role, you can use the setup role to pre-load dependencies. Then turn off setup options in the Packetbeat config file before running Packetbeat to publish events. For example:

setup.template.enabled: false
setup.ilm.check_exists: false
setup.ilm.overwrite: false 

Omit ilm.check_exists and ilm.overwrite if ILM is disabled.

To grant the required privileges:

  1. Create a writer role, called something like packetbeat_writer, that has the following privileges (this list assumes the setup options shown earlier are set to false):

    PrivilegesWhy needed?

    monitor

    Send monitoring info

    read_ilm

    Read the ILM policy when connecting to clusters that support ILM

    view_index_metadata on packetbeat-* indices

    Check for alias when connecting to clusters that support ILM

    index on packetbeat-* indices

    Index events into Elasticsearch

    create_index on packetbeat-* indices

    Create daily indices when connecting to clusters that do not support ILM

    Omit any privileges that aren’t relevant in your environment.

  2. Assign the writer role to users who will index events into Elasticsearch.

Grant privileges and roles needed to read Packetbeat dataedit

Kibana users typically need to view dashboards and visualizations that contain Packetbeat data. These users might also need to create and edit dashboards and visualizations.

To grant users the required privileges:

  1. Create a reader role, called something like packetbeat_reader, that has the following privilege:

    PrivilegeWhy needed?

    read on packetbeat-* indices

    Read data indexed by Packetbeat

  2. Assign the reader role, along with the following built-in roles, to users who need to read Packetbeat data:

    RolesWhy needed?

    kibana_user or kibana_dashboard_only_user

    Use Kibana. kibana_dashboard_only_user grants read-only access to dashboards.

    Omit any roles that aren’t relevant in your environment.

Learn more about users and rolesedit

Want to learn more about creating users and roles? See Securing the Elastic Stack. Also see: