Giving RBAC write permissions to tools
Estimated time to read: 5 minutes
Acquisition notice
In October 2022, ServiceNow acquired Era Software. The documentation on this site is no longer maintained and is intended for existing Era Software users only.
To get the latest information about ServiceNow's observability solutions, visit their website and documentation.
EraSearch's role-based access control (RBAC) lets you manage users, roles, and permissions. This page outlines how to give write permissions to third-party tools. In this guide, you'll:
- Create a write-only role in EraSearch.
- Generate a key for the write-only role.
- Add the key to a third-party tool.
While this guide uses Logstash as the third-party tool, the steps are similar for all EraSearch-compatible ingest tools.
Note
This document is for self-hosted EraSearch users only. If you're using EraSearch on EraCloud, visit RBAC in EraCloud to see what EraCloud offers now and how to use it.
Before you begin¶
The content below is intended for existing self-hosted EraSearch users. Reach out to us at Era Software if you're interested in getting started with self-hosted EraSearch.
This guide also assumes you've:
- Completed steps 1-3 in Setting up RBAC.
- Installed Logstash and configured it to write data to EraSearch.
-
[Optional] Installed the
eractl
CLI.EraSearch's experimental
eractl
CLI lets you manage RBAC with fewer commands. You don't neederactl
to complete this guide. You can do everything using the existing EraSearch API.
Permission needs¶
You need EraSearch's manage_security
permission to complete the steps below.
Step 1: Create a write-only role and key in EraSearch¶
Create a role and key with write-only permissions on indexes starting with logstash-
:
-
In your terminal, export these environment variables, replacing:
YOUR_KEY
with the key you generated in Setting up RBAC.https://erasearch.example.com
with the IP or hostname for the EraSearch API endpoint.
-
Create the role and key with this command:
eractl
returns this output, including the key for thelogstash
role (era_YYYYYYYYYYYY
) and the file storing the key (era-write-key.<timestamp>.json
).2022-06-28T21:30:09.932468Z [info ] Successfully connected to Era commit=59e08803327d4a98fe72073507ec304e0e4b5ebe es_version=7.10.2 url=https://erasearch.example.com 2022-06-28T21:30:10.194854Z [info ] New role created: {"name": "logstash", "indexes": [{"names": ["logstash-*"], "permissions": ["write"]}]} 2022-06-28T21:30:10.307800Z [info ] Key backed up to local file: era-write-key.2022-06-28T21:30:09.932621+00:00.json 2022-06-28T21:30:10.307995Z [info ] API key created: era_YYYYYYYYYYYY 2022-06-28T21:30:10.308048Z [info ] **Be sure to put this in a safe place.**
Note
To create another key associated with the logstash
role, rerun the command above. Because the logstash
role already exists, eractl
only creates a new API key.
$ eractl rbac create-write -r logstash -i "logstash-*"
2022-06-28T21:33:17.114437Z [info ] Successfully connected to Era commit=59e08803327d4a98fe72073507ec304e0e4b5ebe es_version=7.10.2 url=https://erasearch.example.com
2022-06-28T21:33:17.196844Z [warning ] Skipping role creation: Existing role found with name: logstash
2022-06-28T21:33:17.340175Z [info ] Key backed up to local file: era-write-key.2022-06-28T21:33:17.114728+00:00.json
2022-06-28T21:33:17.340589Z [info ] API key created: era_ZZZZZZZZZZZ
2022-06-28T21:33:17.340677Z [info ] **Be sure to put this in a safe place.**
Create a role and key with write-only permissions on indexes starting with logstash-
:
- In your terminal, export these environment variables, replacing
YOUR_KEY
with the key you generated in Setting up RBAC: - Define the EraSearch role by writing this content to
logstash_writeonly_role.json
: -
Create the role by entering the command below. EraSearch responds with details about the role, including its id, name, and permissions.
-
Define the key-role mapping by writing the following to
logstash_writeonly_key.json
: - Create the key with this command: EraSearch responds with information about the key-role mapping. The
$ curl -H "Content-Type: application/json" \ -H "Authorization: Bearer ${ADMIN_API_KEY}" \ --data-binary @logstash_writeonly_key.json \ ${ERA_URL}/v1/api_keys
api_key
value is what writers need to add to requests to be authenticated.
Step 2: Add the key to Logstash¶
Update your Logstash configuration file as shown below, where:
-
${ERA_URL}
is the EraSearch URL.Example:
localhost:9200
. -
${ERA_INDEX}
is the EraSearch index to write data to. ${ERA_API_KEY}
is the API key you generated above.
output {
elasticsearch {
hosts => ["${ERA_URL}"]
index => "${ERA_INDEX}"
custom_headers => {
"Authorization" => "Bearer ${ERA_API_KEY}"
}
}
}
Step 3: Restart Logstash¶
Finally, restart Logstash to verify your setup. To view your Logstash logs in EraSearch, enter the command below in your terminal, where:
-
YOUR_ERASEARCH_URL
is your full EraSearch URL.Example:
http://localhost:9200
. -
${ERA_INDEX}
is the EraSearch index you specified above. ${ADMIN_API_KEY}
is your EraSearch RBAC admin API key.
$ curl 'YOUR_ERASEARCH_URL/${ERA_INDEX}/_search?q=_lid:*' \
-H 'Authorization: Bearer ${ADMIN_API_KEY}'
Next steps¶
Visit User and role management and Using RBAC with Grafana and Azure AD for more about EraSearch RBAC and the permissions you can work with.