Access Control (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions.You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM used Permission Policy to describe the specific content for authorization.

This topic describes the elements, such as Action, Resource, and Condition, that are defined by Elasticsearch .You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate Elasticsearch 's RAM code (RamCode) is elasticsearch. You can grant permissions on resource level

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:View Details...

Action

Elasticsearch defines the values that you can use in the Actionelement of a policy statement. The following table describes the values.View Details...

ActionsAPIAccess levelResource typeCondition keyAssociated operation
elasticsearch:ActivateCloudMigration
ActivateCloudMigration
Update
Instance
acs:elasticsearch:{#regionId}:{#accountId}:instances/{#InstanceId}
NoneNone
elasticsearch:ActivateZones
ActivateZones
Restores nodes in disabled zones. This operation is available only for multi-zone Elasticsearch clusters
None
Instance
acs:elasticsearch:{#regionId}:{#accountId}:instances/{#instancesId}
NoneNone
elasticsearch:ActivePhone
ActivePhone
None
All Resources
*
NoneNone
elasticsearch:AddConnectableCluster
AddConnectableCluster
Connects Elasticsearch clusters
Create
Instance
acs:elasticsearch:{#regionId}:{#accountId}:instances/{#instancesId}
NoneNone
elasticsearch:AddSnapshotRepo
AddSnapshotRepo
Call the AddSnapshotRepo to create a reference repository when configuring a cross-cluster OSS repository
Create
Instance
acs:elasticsearch:{#regionId}:{#accountId}:instances/{#instancesId}
NoneNone
elasticsearch:AttachMigrationJob
AttachMigrationJob
None
All Resources
*
NoneNone
elasticsearch:CancelDeletion
CancelDeletion
Restores an Elasticsearch cluster that is frozen after it is released
None
Instance
acs:elasticsearch:{#regionId}:{#accountId}:instances/{#InstanceId}
NoneNone
elasticsearch:CancelLogstashDeletion
CancelLogstashDeletion
Restores a Logstash cluster that is frozen after it is released
None
Logstash
acs:elasticsearch:{#regionId}:{#accountId}:logstashes/{#InstanceId}
NoneNone
elasticsearch:CancelTask
CancelTask
to cancel a data migration task
None
Instance
acs:elasticsearch:{#regionId}:{#accountId}:instances/{#instancesId}
NoneNone
elasticsearch:CloseDiagnosis
CloseDiagnosis
Disables the intelligent O\&M feature for an Elasticsearch cluster
None
Instance
acs:elasticsearch:{#regionId}:{#accountId}:instances/{#instancesId}
NoneNone
Resource

Elasticsearch resources that can be specified in the Resource policy element to grant the permissions to perform specific operations on this resource.

An Alibaba Cloud Resource Name (ARN) is the unique identifier of a resource on Alibaba Cloud. Description:

  • {#} is a variable and must be replaced with the actual value. Example: {#ramcode} must be replaced with the actual RAM code of the cloud service.
  • *) is used as a wildcard. Examples:
    • {#resourceType}/*: indicates all resources.
    • {#regionId} is set to *, all regions are specified.
    • {#accountId} is set to *, all Alibaba Cloud accounts are specified.
Resource typeARN
Instance
  • acs:elasticsearch:{#regionId}:{#accountId}:instances/{#InstanceId}
  • acs:elasticsearch:{#regionId}:{#accountId}:instances/{#instancesId}
  • acs:elasticsearch:{#regionId}:{#accountId}:instances/*
  • acs:elasticsearch:{#regionId}:{#accountId}:instances/{instanceId}
  • acs:elasticsearch:{#regionId}:{#accountId}:*
Logstash
  • acs:elasticsearch:{#regionId}:{#accountId}:logstashes/{#logstashesId}
  • acs:elasticsearch:{#regionId}:{#accountId}:logstashes/{#InstanceId}
  • acs:elasticsearch:{#regionId}:{#accountId}:logstashes/*
ackClusters
  • acs:elasticsearch:{#regionId}:{#accountId}:ackClusters/{#ackClustersId}
  • acs:elasticsearch:{#regionId}:{#accountId}:ackClusters/*
collectors
  • acs:elasticsearch:{#regionId}:{#accountId}:collectors/{#collectorsId}
  • acs:elasticsearch:{#regionId}:{#accountId}:collectors/*
emonProjects
  • acs:elasticsearch:{#regionId}:{#accountId}:emonProjects/{#emonProjectsId}
instances
  • acs:elasticsearch:{#regionId}:{#accountId}:instances/{#instancesId}
logstashes
  • acs:elasticsearch:{#regionId}:{#accountId}:logstashes/*
snapshotrepository
  • acs:elasticsearch:{#regionId}:{#accountId}:snapshotrepository/*
tags
  • acs:elasticsearch:{#regionId}:{#accountId}:tags/*
  • acs:elasticsearch:{#regionId}:{#accountId}:tags/{#tagsId}
Condition

Elasticsearch defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to Generic Condition Keyword. For more information about the common condition keys, see Elasticsearch

The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements

Condition KeyDescriptionType
elasticsearch:DataNodeDiskEncryption
Whether to enable data node disk encryption
Enumeration value:
truefalse
boolean
elasticsearch:InstancePublicNetworkSwitch
whether to enable public network of Elasticsearch instance
Enumeration value:
truefalse
boolean
elasticsearch:TriggerNetworkAction
Action type of enabling or disabling public or private network access to cluster
Enumeration value:
closeopen
string
elasticsearch:TriggerNetworkNodeType
Instance type of cluster node
Enumeration value:
kibanaworker
string
elasticsearch:TriggerNetworkType
Network type of cluster
Enumeration value:
publicprivate
string
elasticsearch:WarmNodeDiskEncryption
Whether to enable warm node disk encryption
Enumeration value:
truefalse
boolean
What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics: