Era Software

No results match your query

Giving RBAC write permissions to tools

Estimated reading time: 2 minutes
  • guide
  • erasearch
  • self-hosted
  • rbac
  • logstash

EraSearch has role-based access control (RBAC) to let you manage users, roles, and permissions. This page outlines how to give write permissions to third-party tools. In this guide, you'll:

  • Create a write-only role in EraSearch.
  • Generate a key for the write-only role.
  • Add the key to a third-party tool.

While this guide uses Logstash as the third-party tool, the steps are similar for all EraSearch-compatible ingest tools.

Before you begin
Copy
Copied!

The content below is intended for existing self-hosted EraSearch users. Reach out to us at Era Software if you're interested in getting started with self-hosted EraSearch.

This guide also assumes you've:

Step 1: Create a write-only role in EraSearch
Copy
Copied!

Create a role with write-only permissions on indexes starting with logstash-:

  1. In your terminal, export these environment variables, replacing YOUR_KEY with the key you generated in Setting up RBAC:
    Copy
    Copied!
    $ export ADMIN_API_KEY="YOUR_KEY"
    $ export ERA_URL="localhost:9200"
    
  2. Define the EraSearch role by writing this content to logstash_writeonly_role.json:
    Copy
    Copied!
    {
      "name": "write_logstash_logs",
      "database": [],
      "indexes": [
        {
          "names": [
            "logstash-*"
          ],
          "permissions": [
            "write"
          ]
        }
      ]
    }
    
  3. Create the role by entering the command below. EraSearch responds with details about the role, including its id, name, and permissions.
    Copy
    Copied!
    $ curl -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${ADMIN_API_KEY}" \
    --data-binary @logstash_writeonly_role.json \
    ${ERA_URL}/v1/roles
    

Step 2: Create a key for the write-only role
Copy
Copied!

Create a key tied to the role:

  1. Define the key-role mapping by writing the following to logstash_writeonly_key.json:
    Copy
    Copied!
    {
      "name": "key for host XYZ",
      "role": "write_logstash_logs"
    }
    
  2. Create the key with this command:
    Copy
    Copied!
    $ curl -H "Content-Type: application/json" \
      -H "Authorization: Bearer ${ADMIN_API_KEY}" \
      --data-binary @logstash_writeonly_key.json \
      ${ERA_URL}/v1/api_keys
    
    EraSearch responds with information about the key-role mapping. The api_key value is what writers need to add to requests to be authenticated.
    Copy
    Copied!
    {
      "id": 2,
      "name": "key for host XYZ",
      "api_key": "era_2X058ORa3oQXvypPV6wVKQ7LtJvThysQBKvMGfb3ebjr0HqSSy",
      "role": "write_logstash_logs"
    }
    

Step 3: Add the key to Logstash
Copy
Copied!

Update your Logstash configuration file as shown below, where the environment variables are:

  • ${ERA_URL} - the EraSearch URL (for example, localhost:9200).
  • ${ERA_INDEX} - the EraSearch index to write data to.
  • ${ERA_API_KEY} - the api_key value you generated above.
Copy
Copied!
output {
  elasticsearch {
    hosts => ["${ERA_URL}"]
    index => "${ERA_INDEX}"
    custom_headers => {
        "Authorization" => "Bearer ${ERA_API_KEY}"
    }
  }
}

Finally, restart Logstash to verify your setup.

Next steps
Copy
Copied!

Visit User and role management and Using RBAC with Grafana and Azure AD for more about EraSearch RBAC and the permissions you can work with.