diff --git a/libbeat/docs/security/basic-auth.asciidoc b/libbeat/docs/security/basic-auth.asciidoc index eaf3b21801e..e12455ae4da 100644 --- a/libbeat/docs/security/basic-auth.asciidoc +++ b/libbeat/docs/security/basic-auth.asciidoc @@ -40,6 +40,7 @@ POST _xpack/security/role/{beat_default_index_prefix}_writer ] } --------------------------------------------------------------- +// CONSOLE <1> If you use a custom {beatname_uc} index pattern, specify that pattern instead of the default ++{beat_default_index_prefix}-*++ pattern. endif::[] @@ -65,6 +66,34 @@ instead of the default ++{beat_default_index_prefix}-*++ pattern. endif::[] -- +ifndef::no_ilm[] +. If you plan to use {ref}/getting-started-index-lifecycle-management.html[index +lifecycle management], create a role that has the following privileges. These +privileges are required to load index lifecycle policies and create and manage +rollover indices: ++ +* *Cluster:* `manage_ilm` +* *Index:* `write`, `create_index`, `manage`, and `manage_ilm` on the +{beatname_uc} indices ++ +-- +["source","sh",subs="attributes"] +--------------------------------------------------------------- +POST _xpack/security/role/{beatname_lc}_ilm +{ + "cluster": ["manage_ilm"], + "indices": [ + { + "names": [ "{beatname_lc}-*","shrink-{beatname_lc}-*"], + "privileges": ["write","create_index","manage","manage_ilm"] + } + ] +} +--------------------------------------------------------------- +// CONSOLE +-- +endif::no_ilm[] + . Assign the writer role to the user that {beatname_uc} will use to connect to {es}. Make sure you also assign any roles that are required for specific features. For the list of features and required roles, see <>. diff --git a/libbeat/docs/security/securing-beats.asciidoc b/libbeat/docs/security/securing-beats.asciidoc index 48dd7a87f41..c5c90717918 100644 --- a/libbeat/docs/security/securing-beats.asciidoc +++ b/libbeat/docs/security/securing-beats.asciidoc @@ -44,40 +44,44 @@ password, set it up now. For more information about {security}, see {xpack-ref}/elasticsearch-security.html[Securing the {stack}]. -[float] [[feature-roles]] === {beatname_uc} features that require authorization After securing {beatname_uc}, make sure your users have the roles (or associated -privileges) required to use these {beatname_uc} features. You must create the -++{beat_default_index_prefix}_writer++ and -++{beat_default_index_prefix}_reader++ roles (see <> and -<>). The other roles are -{xpack-ref}/built-in-roles.html[built-in]. +privileges) required to use these {beatname_uc} features. Note that some of the +roles shown here are {xpack-ref}/built-in-roles.html[built-in], and some +are user-defined. [options="header"] |======= |Feature | Role -|Send data to a secured cluster | ++{beat_default_index_prefix}_writer++ +|Send data to a secured cluster | ++{beat_default_index_prefix}_writer++ footnoteref:[noteA,These roles are user-defined.] ifeval::["{beatname_lc}"=="filebeat"] -|Run Filebeat modules | ++{beat_default_index_prefix}_writer++ +|Run Filebeat modules | ++{beat_default_index_prefix}_writer++ footnoteref:[noteA] endif::[] -|Load index templates | ++{beat_default_index_prefix}_writer++ and `kibana_user` +|Load index templates | ++{beat_default_index_prefix}_writer++ footnoteref:[noteA] and `kibana_user` ifndef::no_dashboards[] -|Load {beatname_uc} dashboards into {kib} | ++{beat_default_index_prefix}_writer++ and `kibana_user` +|Load {beatname_uc} dashboards into {kib} | ++{beat_default_index_prefix}_writer++ footnoteref:[noteA] and `kibana_user` endif::[] ifdef::has_ml_jobs[] |Load machine learning jobs | `machine_learning_admin` endif::[] -|Read indices created by {beatname_uc} | ++{beat_default_index_prefix}_reader++ +|Read indices created by {beatname_uc} | ++{beat_default_index_prefix}_reader++ footnoteref:[noteA] ifndef::no_dashboards[] |View {beatname_uc} dashboards in {kib} | `kibana_user` endif::[] ifdef::has_central_config[] |Store and manage configurations in a central location in {kib} | `beats_admin` endif::[] +ifndef::no_ilm[] +|Load index lifecycle policies and use index lifecycle management | +{beatname_lc}_ilm+ footnoteref:[noteA] +endif::[] |======= +To create the user-defined roles shown here, see <> and +<>. You may want to define additional roles to provide more +restrictive access. + include::basic-auth.asciidoc[] include::user-access.asciidoc[]