Elasticsearch服务关联角色(包括AliyunServiceRoleForElasticsearchOps和AliyunServiceRoleForElasticsearchCollector角色)是为了使用集群弹性扩缩容、创建和管理Beats采集器功能,需要获取其他云服务的访问权限,而提供的RAM角色。本文介绍阿里云Elasticsearch服务关联角色的应用场景,以及如何删除服务关联角色。

背景信息

关于服务关联角色的详细信息,请参见服务关联角色

应用场景

AliyunServiceRoleForElasticsearchOps和AliyunServiceRoleForElasticsearchCollector角色的应用场景如下:
  • AliyunServiceRoleForElasticsearchOps

    执行集群弹性扩缩容任务时,需要通过服务关联角色功能,授权阿里云Elasticsearch后台调用集群弹性扩缩容的OpenAPI,按照您设定的时间对集群扩缩容。

  • AliyunServiceRoleForElasticsearchCollector

    创建和管理Beats采集器时,需要通过服务关联角色功能,授权Beats采集器在云服务器ECS(Elastic Compute Service),或容器服务Kubernetes版ACK(Container Service for Kubernetes)的目标机器上,进行特定的管控操作。

AliyunServiceRoleForElasticsearchOps介绍

当执行集群弹性扩缩容任务时,如果不存在具有执行任务权限的角色,Elasticsearch将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。Elasticsearch通过扮演该角色即可调用OpenAPI,完成定时扩缩容任务。该角色的相关说明如下:

  • 角色名称:AliyunServiceRoleForElasticsearchOps
  • 角色权限策略名称:AliyunServiceRolePolicyForElasticsearchOps
  • 角色权限策略内容: 
    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "elasticsearch:ListInstance",
                "elasticsearch:DescribeInstance",
                "elasticsearch:UpdateInstance",
                "elasticsearch:UpdateInstanceSettings",
                "elasticsearch:RestartInstance",
                "elasticsearch:RollbackInstance",
                "elasticsearch:DowngradeInstance",
                "elasticsearch:CancelTask",
                "elasticsearch:DeactivateZones",
                "elasticsearch:ActivateZones",
                "elasticsearch:MigrateToOtherZone",
                "elasticsearch:ResumeElasticsearchTask",
                "elasticsearch:InterruptElasticsearchTask",
                "elasticsearch:UpdateAdvancedSetting",
                "elasticsearch:UpgradeInstanceEngineVersion",
                "elasticsearch:UpdateWhiteIps",
                "elasticsearch:UpdatePublicIps",
                "elasticsearch:ModifyWhiteIps",
                "elasticsearch:TriggerNetwork",
                "elasticsearch:UpdateTemplate",
                "elasticsearch:DescribeLogstash",
                "elasticsearch:UpdateLogstash",
                "elasticsearch:RestartLogstash",
                "elasticsearch:UpdateLogstashSettings",
                "elasticsearch:InterruptLogstashTask",
                "elasticsearch:ResumeLogstashTask",
                "elasticsearch:DowngradeLogstash"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "ops.elasticsearch.aliyuncs.com"
                }
            }
        }
    ]
}
  • 服务名称:ops.elasticsearch.aliyuncs.com
  • 执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole

AliyunServiceRoleForElasticsearchCollector介绍

创建和管理Beats采集器时,如果不存在具有执行任务权限的角色,Elasticsearch将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。Elasticsearch通过扮演该角色即可调用OpenAPI,完成Beats采集器在ECS或ACK目标机器上的数据采集任务。该角色的相关说明如下:

  • 角色名称:AliyunServiceRoleForElasticsearchCollector
  • 角色权限策略名称:AliyunServiceRolePolicyForElasticsearchCollector
  • 角色权限策略内容: 
    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oos:CancelExecution",
                "oos:DeleteExecutions",
                "oos:GenerateExecutionPolicy",
                "oos:GetExecutionTemplate",
                "oos:ListExecutionLogs",
                "oos:ListExecutions",
                "oos:ListTaskExecutions",
                "oos:NotifyExecution",
                "oos:StartExecution",
                "oos:ListTagResources",
                "oos:TagResources",
                "oos:UntagResources",
                "oos:CreateTemplate",
                "oos:DeleteTemplate",
                "oos:GetTemplate",
                "oos:ListExecutionRiskyTasks",
                "oos:ListTemplates",
                "oos:UpdateTemplate"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeCloudAssistantStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cs:GetUserConfig",
                "cs:GetClusters",
                "cs:GetClusterById"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "collector.elasticsearch.aliyuncs.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole",
            "Condition": {
                "StringEquals": {
                    "acs:Service": "oos.aliyuncs.com"
                }
            }
        }
    ]
}
  • 服务名称:collector.elasticsearch.aliyuncs.com
  • 执行创建或删除服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole

删除服务关联角色

删除AliyunServiceRoleForElasticsearchOps服务关联角色,需要先停止依赖这个服务关联角色的Elasticsearch弹性扩缩容任务;删除AliyunServiceRoleForElasticsearchCollector服务关联角色,需要先删除依赖这个服务关联角色的所有Beats采集器。

删除服务关联角色的具体操作,请参见删除服务关联角色

常见问题

Q:为什么我的RAM用户无法创建Elasticsearch服务关联角色?

A:阿里云账号或拥有CreateServiceLinkedRole权限的RAM用户,才能创建或删除服务关联角色。因此当RAM用户无法创建服务关联角色时,需要通过阿里云账号为其添加以下权限策略。
说明
  • 具体操作,请参见为RAM用户授权
  • 以下权限策略中,Resource中的值133071096032****需要替换为您自己的阿里云账号ID。阿里云账号ID的获取方法:鼠标移至控制台右上角的用户头像上,即可查看到账号ID
  • RAM用户需要执行依赖服务关联角色AliyunServiceRoleForElasticsearchOps的Elasticsearch弹性扩缩容任务时,可为其添加以下权限策略。
    {
    "Version": "1",
    "Statement": [
        {
            "Action": "elasticsearch:InitializeOperationRole",
            "Resource": "acs:ram:*:133071096032****:role/*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "acs:ram:*:133071096032****:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "ops.elasticsearch.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}
  • RAM用户需要创建和管理依赖服务关联角色AliyunServiceRoleForElasticsearchCollector的Beats采集器时,可为其添加以下权限策略。
    {
    "Version": "1",
    "Statement": [
        {
            "Action": "elasticsearch:InitializeOperationRole",
            "Resource": "acs:ram:*:133071096032****:role/*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "acs:ram:*:133071096032****:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "collector.elasticsearch.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}