A_LucasOverview
Regular service roles are a type of RAM role that authorizes Alibaba Cloud services to access each other securely. This guide provides a step-by-step approach to creating and managing a regular service role for Alibaba Cloud Elasticsearch to upload plug-ins or dictionary files from your Object Storage Service (OSS) securely.
What is a Regular Service Role?
A regular service role in Alibaba Cloud is a RAM role authorized to act on behalf of other Alibaba Cloud services. This role ensures seamless and secure integration between two Alibaba Cloud services without changing public read permissions.
Step 1: Create a Regular Service Role
If the regular service role does not exist when you upload a dictionary via an OSS URL, you must create this role and attach the required policy.
- Trusted Service Name: elasticsearch.aliyuncs.com
- Role Name: AliyunElasticsearchAccessingOSSRole
- Policy Name: AliyunElasticsearchAccessingOSSRolePolicy
Policy Document:
1{
2 "Version": "1",
3 "Statement": [
4 {
5 "Action": [
6 "oss:GetObject",
7 "oss:GetObjectMetadata",
8 "oss:GetObjectMeta"
9 ],
10 "Resource": "*",
11 "Effect": "Allow"
12 }
13 ]
14}
Step 2: Attach the Policy to the Regular Service Role
Log in to the RAM console and attach the above policy to the AliyunElasticsearchAccessingOSSRole. This enables Elasticsearch to assume this role to access files in the OSS URL and update dictionaries based on the file, ensuring data security.
Example of Limiting the Permissions of the Regular Service Role
To create more secure and granulated permissions, you can create a custom RAM policy and attach it to the regular service role.
Example Custom Policy
1{
2 "Version": "1",
3 "Statement": [
4 {
5 "Action": [
6 "oss:GetObject",
7 "oss:GetObjectMetadata",
8 "oss:GetObjectMeta"
9 ],
10 "Resource": [
11 "acs:oss:*:193248xxxxxxx:*"
12 ],
13 "Effect": "Allow",
14 "Condition": {
15 "StringEquals": {
16 "oss:BucketTag/key1":"value1"
17 }
18 }
19 }
20 ]
21}
Adding Tags to a Bucket
To manage permissions efficiently, you can add tags to buckets and control access based on these tags.
- Log on to the OSS console.
- In the left-side navigation pane, click Buckets. Find and click the desired bucket.
- Choose Bucket Settings > Bucket Tagging from the left-side navigation tree.
- On the Bucket Tagging page, click Create Tag and add the desired tag to the bucket.
Uploading a Dictionary File
To upload a dictionary file from OSS:
- Log in to the Elasticsearch console.
- Use the OSS URL of the file to upload the plug-in or dictionary file.
Deleting the Regular Service Role
If you need to delete the regular service role, you can do so in the RAM console. Note that after deletion, features depending on this role will cease to function.
For more detailed information, visit RAM role overview and Alibaba Cloud Elasticsearch.
FAQ
Q: Why is the ElasticsearchNoPermissionForCurrentBucket error received during operations like UpdateDict or UpdateHotIkDicts?
A: For Elasticsearch clusters using the cloud-native control architecture, only the regular service role for Elasticsearch can enable the clusters to read dictionary files stored in OSS. You must complete the authorization on the authorization page. This role is necessary for scenarios such as updating OSS-based synonym dictionaries, standard rolling updates of IK dictionaries, and dictionary updating for the analysis-aliws plug-in.
Conclusion
Using regular service roles ensures secure and efficient integration between Alibaba Cloud Elasticsearch and OSS, allowing you to upload and manage dictionary files seamlessly without compromising on data security.
Ready to start your journey with Elasticsearch on Alibaba Cloud? Explore our tailored Cloud solutions and services to take the first step towards transforming your data into a visual masterpiece.
