RBAC for beat_writer action [indices:admin/create] is unauthorized for user [beat_writer]

[DanRoscigno]

I am unable to index metric data using Metricbeat 7.5.0 with ESS 7.5.0 using the role and user described at https://www.elastic.co/guide/en/beats/metricbeat/7.5/feature-roles.html#privileges-to-publish-events

I see this warning in the output of ./metricbeat -e:

2019-12-10T20:17:01.825-0500	WARN	elasticsearch/client.go:511	Cannot index event
publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbf742ec32eb73a80, 
ext:30061604355, loc:(*time.Location)(0x9c51a60)}, Meta:common.MapStr(nil), 
Fields:common.MapStr{"agent":common.MapStr{"ephemeral_id":"fd8174fa-6126-40ec-b703-
7c8a8d07d023", "hostname":"Dans-MacBook-Pro.local", "id":"7bfb73c3-781b-4e56-a73c-
aab361fa3490", "type":"metricbeat", "version":"7.5.0"}, "ecs":common.MapStr{"version":"1.1.0"}, 
"event":common.MapStr{"dataset":"system.load", "duration":15637, "module":"system"}, 
"host":common.MapStr{"architecture":"x86_64", "hostname":"Dans-MacBook-Pro.local", 
"id":"C04BF4A3-78E4-527B-B5C2-98DB3437A426", "name":"Dans-MacBook-Pro.local", 
"os":common.MapStr{"build":"18G1012", "family":"darwin", "kernel":"18.7.0", "name":"Mac OS X", 
"platform":"darwin", "version":"10.14.6"}}, "metricset":common.MapStr{"name":"load", 
"period":10000}, "service":common.MapStr{"type":"system"}, 
"system":common.MapStr{"load":common.MapStr{"1":1.7905, "15":1.793, "5":1.8657, "cores":8, 
"norm":common.MapStr{"1":0.2238, "15":0.2241, "5":0.2332}}}}, Private:interface {}(nil), 
TimeSeries:true}, Flags:0x0} (status=403): {"type":"security_exception","reason":"action 
[indices:admin/create] is unauthorized for user [beat_writer]"}

Because the warning specifies that [indices:admin/create] is unauthorized for user [beat_writer]", I added the index priv create_index and then I was able to successfully index the data. The docs specifically say that this priv is not needed when setup.ilm.check_exists: false is used in metricbeat.yml, and I have that set.

I am running ES and Kibana in ESS, and running metricbeat on Mac OSX.

Here is my role:

{
  "beat_writer" : {
    "cluster" : [
      "monitor",
      "cluster:admin/ingest/pipeline/get"
    ],
    "indices" : [
      {
        "names" : [
          "filebeat-*",
          "metricbeat-*"
        ],
        "privileges" : [
          "create_doc"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

and here is my user:

{
  "beat_writer" : {
    "username" : "beat_writer",
    "roles" : [
      "beat_writer"
    ],
    "full_name" : "",
    "email" : "",
    "metadata" : { },
    "enabled" : true
  }
}

One more thing: I did not need create_index for Filebeat 7.5.0

cc: @dedemorton

[dedemorton]

This was closed by mistake. Reopening. :-)

[DanRoscigno]

Is it really a doc issue? Why does Metricbeat require the priv if Filebeat does not?

[dedemorton]

A user on the forum has run into other problems with the documented privileges: https://discuss.elastic.co/t/beats-privileges-documentation/214190

(Noting it here so I update the forum post when I run through and test the privileges to see if the docs require updates.)

[DanRoscigno]

@dedemorton can you re-tag this as a code bug rather than doc bug? Unless it is a doc bug.

[dedemorton]

@DanRoscigno I plan to retest the docs this week to determine whether this is indeed a doc bug. Thanks!

[dedemorton]

@DanRoscigno I followed the documented instructions using Metricbeat 7.5.1, but was unable to reproduce this issue. Did you run the setup (with the privileges described for the setup role) before attempting to publish events?

I think the docs are potentially confusing where they say, "To minimize the privileges required by the writer role, you can use the setup role to pre-load dependencies." The privileges documented under "Grant privileges and roles needed for publishing" actually assume that you've pre-loaded all dependencies.

I'm going to close this issue, but please feel free to reopen it if you can reproduce the issue in 7.5.1

[dedemorton]

Incidentally here is the role and user that worked for me:

{
  "metricbeat_writer" : {
    "cluster" : [
      "monitor"
    ],
    "indices" : [
      {
        "names" : [
          "metricbeat-*"
        ],
        "privileges" : [
          "create_doc"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

{
  "metricbeat_writer" : {
    "username" : "metricbeat_writer",
    "roles" : [
      "metricbeat_writer"
    ],
    "full_name" : "Some Person",
    "email" : "myemail@gmail.com",
    "metadata" : { },
    "enabled" : true
  }
}

[DanRoscigno]

cool, glad to hear that it is fixed. I will update my configs.