Elasticsearch服务关联角色(包括AliyunServiceRoleForElasticsearchOps和AliyunServiceRoleForElasticsearchCollector角色)是为了使用集群弹性扩缩容、创建和管理Beats采集器功能,需要获取其他云服务的访问权限,而提供的RAM角色。本文介绍阿里云Elasticsearch服务关联角色的应用场景,以及如何删除服务关联角色。
背景信息
关于服务关联角色的详细信息,请参见服务关联角色。
应用场景
- AliyunServiceRoleForElasticsearchOps
执行集群弹性扩缩容任务时,需要通过服务关联角色功能,授权阿里云Elasticsearch后台调用集群弹性扩缩容的OpenAPI,按照您设定的时间对集群扩缩容。
- AliyunServiceRoleForElasticsearchCollector
创建和管理Beats采集器时,需要通过服务关联角色功能,授权Beats采集器在云服务器ECS(Elastic Compute Service),或容器服务Kubernetes版ACK(Container Service for Kubernetes)的目标机器上,进行特定的管控操作。
AliyunServiceRoleForElasticsearchOps介绍
当执行集群弹性扩缩容任务时,如果不存在具有执行任务权限的角色,Elasticsearch将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。Elasticsearch通过扮演该角色即可调用OpenAPI,完成定时扩缩容任务。该角色的相关说明如下:
- 角色名称:AliyunServiceRoleForElasticsearchOps
- 角色权限策略名称:AliyunServiceRolePolicyForElasticsearchOps
- 角色权限策略内容:
{ "Version": "1", "Statement": [ { "Action": [ "elasticsearch:ListInstance", "elasticsearch:DescribeInstance", "elasticsearch:UpdateInstance", "elasticsearch:UpdateInstanceSettings", "elasticsearch:RestartInstance", "elasticsearch:RollbackInstance", "elasticsearch:DowngradeInstance", "elasticsearch:CancelTask", "elasticsearch:DeactivateZones", "elasticsearch:ActivateZones", "elasticsearch:MigrateToOtherZone", "elasticsearch:ResumeElasticsearchTask", "elasticsearch:InterruptElasticsearchTask", "elasticsearch:UpdateAdvancedSetting", "elasticsearch:UpgradeInstanceEngineVersion", "elasticsearch:UpdateWhiteIps", "elasticsearch:UpdatePublicIps", "elasticsearch:ModifyWhiteIps", "elasticsearch:TriggerNetwork", "elasticsearch:UpdateTemplate", "elasticsearch:DescribeLogstash", "elasticsearch:UpdateLogstash", "elasticsearch:RestartLogstash", "elasticsearch:UpdateLogstashSettings", "elasticsearch:InterruptLogstashTask", "elasticsearch:ResumeLogstashTask", "elasticsearch:DowngradeLogstash" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "ops.elasticsearch.aliyuncs.com" } } } ] }
- 服务名称:ops.elasticsearch.aliyuncs.com
- 执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchCollector介绍
创建和管理Beats采集器时,如果不存在具有执行任务权限的角色,Elasticsearch将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。Elasticsearch通过扮演该角色即可调用OpenAPI,完成Beats采集器在ECS或ACK目标机器上的数据采集任务。该角色的相关说明如下:
- 角色名称:AliyunServiceRoleForElasticsearchCollector
- 角色权限策略名称:AliyunServiceRolePolicyForElasticsearchCollector
- 角色权限策略内容:
{ "Version": "1", "Statement": [ { "Action": [ "oos:CancelExecution", "oos:DeleteExecutions", "oos:GenerateExecutionPolicy", "oos:GetExecutionTemplate", "oos:ListExecutionLogs", "oos:ListExecutions", "oos:ListTaskExecutions", "oos:NotifyExecution", "oos:StartExecution", "oos:ListTagResources", "oos:TagResources", "oos:UntagResources", "oos:CreateTemplate", "oos:DeleteTemplate", "oos:GetTemplate", "oos:ListExecutionRiskyTasks", "oos:ListTemplates", "oos:UpdateTemplate" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cs:GetUserConfig", "cs:GetClusters", "cs:GetClusterById" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "collector.elasticsearch.aliyuncs.com" } } }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole", "Condition": { "StringEquals": { "acs:Service": "oos.aliyuncs.com" } } } ] }
- 服务名称:collector.elasticsearch.aliyuncs.com
- 执行创建或删除服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole
删除服务关联角色
删除AliyunServiceRoleForElasticsearchOps服务关联角色,需要先停止依赖这个服务关联角色的Elasticsearch弹性扩缩容任务;删除AliyunServiceRoleForElasticsearchCollector服务关联角色,需要先删除依赖这个服务关联角色的所有Beats采集器。
删除服务关联角色的具体操作,请参见删除服务关联角色。
常见问题
Q:为什么我的RAM用户无法创建Elasticsearch服务关联角色?
- 具体操作,请参见为RAM用户授权。
- 以下权限策略中,Resource中的值
133071096032****
需要替换为您自己的阿里云账号ID。阿里云账号ID的获取方法:鼠标移至控制台右上角的用户头像上,即可查看到账号ID。
- RAM用户需要执行依赖服务关联角色AliyunServiceRoleForElasticsearchOps的Elasticsearch弹性扩缩容任务时,可为其添加以下权限策略。
{ "Version": "1", "Statement": [ { "Action": "elasticsearch:InitializeOperationRole", "Resource": "acs:ram:*:133071096032****:role/*", "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "acs:ram:*:133071096032****:role/*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "ops.elasticsearch.aliyuncs.com" ] } } } ] }
- RAM用户需要创建和管理依赖服务关联角色AliyunServiceRoleForElasticsearchCollector的Beats采集器时,可为其添加以下权限策略。
{ "Version": "1", "Statement": [ { "Action": "elasticsearch:InitializeOperationRole", "Resource": "acs:ram:*:133071096032****:role/*", "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "acs:ram:*:133071096032****:role/*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "collector.elasticsearch.aliyuncs.com" ] } } } ] }