Skip to content

Giving RBAC write permissions to tools

Estimated time to read: 5 minutes

EraSearch's role-based access control (RBAC) lets you manage users, roles, and permissions. This page outlines how to give write permissions to third-party tools. In this guide, you'll:

  • Create a write-only role in EraSearch.
  • Generate a key for the write-only role.
  • Add the key to a third-party tool.

While this guide uses Logstash as the third-party tool, the steps are similar for all EraSearch-compatible ingest tools.

Note

This document is for self-hosted EraSearch users only. If you're using EraSearch on EraCloud, visit RBAC in EraCloud to see what EraCloud offers now and how to use it.

Before you begin

The content below is intended for existing self-hosted EraSearch users. Reach out to us at Era Software if you're interested in getting started with self-hosted EraSearch.

This guide also assumes you've:

Permission needs

You need EraSearch's manage_security permission to complete the steps below.

Step 1: Create a write-only role and key in EraSearch

Create a role and key with write-only permissions on indexes starting with logstash-:

  1. In your terminal, export these environment variables, replacing:

    • YOUR_KEY with the key you generated in Setting up RBAC.
    • https://erasearch.example.com with the IP or hostname for the EraSearch API endpoint.
    $ export ERACTL_URL="https://erasearch.example.com"
    $ export ERACTL_API_KEY="YOUR_KEY"
    
  2. Create the role and key with this command:

    $ eractl rbac create-write -r logstash -i "logstash-*"
    

    eractl returns this output, including the key for the logstash role (era_YYYYYYYYYYYY) and the file storing the key (era-write-key.<timestamp>.json).

    2022-06-28T21:30:09.932468Z [info     ] Successfully connected to Era  commit=59e08803327d4a98fe72073507ec304e0e4b5ebe es_version=7.10.2 url=https://erasearch.example.com
    2022-06-28T21:30:10.194854Z [info     ] New role created: {"name": "logstash", "indexes": [{"names": ["logstash-*"], "permissions": ["write"]}]}
    2022-06-28T21:30:10.307800Z [info     ] Key backed up to local file: era-write-key.2022-06-28T21:30:09.932621+00:00.json
    2022-06-28T21:30:10.307995Z [info     ] API key created: era_YYYYYYYYYYYY
    2022-06-28T21:30:10.308048Z [info     ] **Be sure to put this in a safe place.**
    

Note

To create another key associated with the logstash role, rerun the command above. Because the logstash role already exists, eractl only creates a new API key.

$ eractl rbac create-write -r logstash -i "logstash-*"

2022-06-28T21:33:17.114437Z [info     ] Successfully connected to Era  commit=59e08803327d4a98fe72073507ec304e0e4b5ebe es_version=7.10.2 url=https://erasearch.example.com
2022-06-28T21:33:17.196844Z [warning  ] Skipping role creation: Existing role found with name: logstash
2022-06-28T21:33:17.340175Z [info     ] Key backed up to local file: era-write-key.2022-06-28T21:33:17.114728+00:00.json
2022-06-28T21:33:17.340589Z [info     ] API key created: era_ZZZZZZZZZZZ
2022-06-28T21:33:17.340677Z [info     ] **Be sure to put this in a safe place.**

Create a role and key with write-only permissions on indexes starting with logstash-:

  1. In your terminal, export these environment variables, replacing YOUR_KEY with the key you generated in Setting up RBAC:
    $ export ADMIN_API_KEY="YOUR_KEY"
    $ export ERA_URL="localhost:9200"
    
  2. Define the EraSearch role by writing this content to logstash_writeonly_role.json:
    {
      "name": "write_logstash_logs",
      "database": [],
      "indexes": [
        {
          "names": [
            "logstash-*"
          ],
          "permissions": [
            "write"
          ]
        }
      ]
    }
    
  3. Create the role by entering the command below. EraSearch responds with details about the role, including its id, name, and permissions.

    $ curl -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${ADMIN_API_KEY}" \
    --data-binary @logstash_writeonly_role.json \
    ${ERA_URL}/v1/roles
    

  4. Define the key-role mapping by writing the following to logstash_writeonly_key.json:

    {
      "name": "key for host XYZ",
      "role": "write_logstash_logs"
    }
    

  5. Create the key with this command:
    $ curl -H "Content-Type: application/json" \
      -H "Authorization: Bearer ${ADMIN_API_KEY}" \
      --data-binary @logstash_writeonly_key.json \
      ${ERA_URL}/v1/api_keys
    
    EraSearch responds with information about the key-role mapping. The api_key value is what writers need to add to requests to be authenticated.
    {
      "id": 2,
      "name": "key for host XYZ",
      "api_key": "era_2X058ORa3oQXvypPV6wVKQ7LtJvThysQBKvMGfb3ebjr0HqSSy",
      "role": "write_logstash_logs"
    }
    

Step 2: Add the key to Logstash

Update your Logstash configuration file as shown below, where:

  • ${ERA_URL} is the EraSearch URL.

    Example: localhost:9200.

  • ${ERA_INDEX} is the EraSearch index to write data to.

  • ${ERA_API_KEY} is the API key you generated above.
output {
  elasticsearch {
    hosts => ["${ERA_URL}"]
    index => "${ERA_INDEX}"
    custom_headers => {
        "Authorization" => "Bearer ${ERA_API_KEY}"
    }
  }
}

Step 3: Restart Logstash

Finally, restart Logstash to verify your setup. To view your Logstash logs in EraSearch, enter the command below in your terminal, where:

  • YOUR_ERASEARCH_URL is your full EraSearch URL.

    Example: http://localhost:9200.

  • ${ERA_INDEX} is the EraSearch index you specified above.

  • ${ADMIN_API_KEY} is your EraSearch RBAC admin API key.
$ curl 'YOUR_ERASEARCH_URL/${ERA_INDEX}/_search?q=_lid:*' \
      -H 'Authorization: Bearer ${ADMIN_API_KEY}'

Next steps

Visit User and role management and Using RBAC with Grafana and Azure AD for more about EraSearch RBAC and the permissions you can work with.


Last update: October 6, 2022