Defining roles
editDefining roles
editA role is defined by the following JSON structure:
{ "run_as": [ ... ], "cluster": [ ... ], "global": { ... }, "indices": [ ... ], "applications": [ ... ], "remote_indices": [ ... ] }
A list of usernames the owners of this role can impersonate. |
|
A list of cluster privileges. These privileges define the
cluster level actions users with this role are able to execute. This field
is optional (missing |
|
An object defining global privileges. A global privilege is a form of cluster privilege that is request sensitive. A standard cluster privilege makes authorization decisions based solely on the action being executed. A global privilege also considers the parameters included in the request. Support for global privileges is currently limited to the management of application privileges. This field is optional. |
|
A list of indices permissions entries. This field is optional (missing |
|
A list of application privilege entries. This field is optional. |
|
[beta]
This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
A list of indices permissions entries for
remote clusters configured with the API key based model.
This field is optional (missing |
Role names must be at least 1 and no more than 507 characters. They can
contain alphanumeric characters (a-z
, A-Z
, 0-9
), spaces,
punctuation, and printable symbols in the Basic Latin (ASCII) block.
Leading or trailing whitespace is not allowed.
Indices privileges
editThe following describes the structure of an indices permissions entry:
{ "names": [ ... ], "privileges": [ ... ], "field_security" : { ... }, "query": "...", "allow_restricted_indices": false }
A list of data streams, indices, and aliases to which the permissions
in this entry apply. Supports wildcards ( |
|
The index level privileges the owners of the role have on the associated
data streams and indices specified in the |
|
Specification for document fields the owners of the role have read access to. See Setting up field and document level security for details. |
|
A search query that defines the documents the owners of the role have read access to. A document within the associated data streams and indices must match this query in order for it to be accessible by the owners of the role. |
|
Restricted indices are a special category of indices that are used
internally to store configuration data and should not be directly accessed.
Only internal system roles should normally grant privileges over the restricted indices.
Toggling this flag is very strongly discouraged because it could effectively grant unrestricted
operations on critical data, making the entire system unstable or leaking sensitive information.
If however, for administrative purposes, you need to create a role with privileges covering
restricted indices, you must set this field to |
The names
parameter accepts wildcard and regular expressions that may refer to
multiple data streams, indices, and aliases.
-
Wildcard (default) - simple wildcard matching where
*
is a placeholder for zero or more characters,?
is a placeholder for a single character and\
may be used as an escape character. -
Regular Expressions - A more powerful syntax for matching more complex
patterns. This regular expression is based on Lucene’s regexp automaton
syntax. To enable this syntax, it must be wrapped within a pair of
forward slashes (
/
). Any pattern starting with/
and not ending with/
is considered to be malformed.
Example Regular Expressions.
"foo-bar": # match the literal `foo-bar` "foo-*": # match anything beginning with "foo-" "logstash-201?-*": # ? matches any one character "/.*-201[0-9]-.*/": # use a regex to match anything containing 2010-2019 "/foo": # syntax error - missing final /
Global privileges
editThe following describes the structure of the global privileges entry:
{ "application": { "manage": { "applications": [ ... ] } }, "profile": { "write": { "applications": [ ... ] } } }
The privilege for the ability to manage application privileges |
|
The list of application names that may be managed. This list supports
wildcards (e.g. |
|
The privilege for the ability to write the |
|
The list of names, wildcards and regular expressions to which the write privilege is restricted to |
Application privileges
editThe following describes the structure of an application privileges entry:
The name of the application. |
|
The list of the names of the application privileges to grant to this role. |
|
The resources to which those privileges apply. These are handled in the same
way as index name pattern in |
For details about the validation rules for these fields, see the add application privileges API.
A role may refer to application privileges that do not exist - that is, they have not yet been defined through the add application privileges API (or they were defined, but have since been deleted). In this case, the privilege has no effect, and will not grant any actions in the has privileges API.
Remote indices privileges
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
For remote clusters configured with the API key based model, remote indices privileges can be used to specify desired indices privileges for matching remote clusters. The final effective index privileges will be an intersection of the remote indices privileges and the cross-cluster API key's indices privileges.
Remote indices are effective for remote clusters configured with the API key based model. They have no effect for remote clusters configured with the certificate based model.
The remote indices privileges entry has an extra mandatory clusters
field compared to
an indices privileges entry. Otherwise the two have identical structure.
The following describes the structure of a remote indices permissions entry:
{ "clusters": [ ... ], "names": [ ... ], "privileges": [ ... ], "field_security" : { ... }, "query": "...", "allow_restricted_indices": false }
A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. This field is required. |
|
A list of data streams, indices, and aliases to which the permissions
in this entry apply. Supports wildcards ( |
|
The index level privileges the owners of the role have on the associated
data streams and indices specified in the |
|
Specification for document fields the owners of the role have read access to. See Setting up field and document level security for details. |
|
A search query that defines the documents the owners of the role have read access to. A document within the associated data streams and indices must match this query in order for it to be accessible by the owners of the role. |
|
Restricted indices are a special category of indices that are used
internally to store configuration data and should not be directly accessed.
Only internal system roles should normally grant privileges over the restricted indices.
Toggling this flag is very strongly discouraged because it could effectively grant unrestricted
operations on critical data, making the entire system unstable or leaking sensitive information.
If however, for administrative purposes, you need to create a role with privileges covering
restricted indices, you must set this field to |
Example
editThe following snippet shows an example definition of a clicks_admin
role:
POST /_security/role/clicks_admin { "run_as": [ "clicks_watcher_1" ], "cluster": [ "monitor" ], "indices": [ { "names": [ "events-*" ], "privileges": [ "read" ], "field_security" : { "grant" : [ "category", "@timestamp", "message" ] }, "query": "{\"match\": {\"category\": \"click\"}}" } ] }
Based on the above definition, users owning the clicks_admin
role can:
-
Impersonate the
clicks_watcher_1
user and execute requests on its behalf. - Monitor the Elasticsearch cluster
-
Read data from all indices prefixed with
events-
-
Within these indices, only read the events of the
click
category -
Within these document, only read the
category
,@timestamp
andmessage
fields.
For a complete list of available cluster and indices privileges
There are two available mechanisms to define roles: using the Role Management APIs or in local files on the Elasticsearch nodes. You can also implement custom roles providers. If you need to integrate with another system to retrieve user roles, you can build a custom roles provider plugin. For more information, see Customizing roles and authorization.
Role management UI
editYou can manage users and roles easily in Kibana. To manage roles, log in to Kibana and go to Management / Security / Roles.
Role management API
editThe Role Management APIs enable you to add, update, remove and retrieve roles
dynamically. When you use the APIs to manage roles in the native
realm, the
roles are stored in an internal Elasticsearch index. For more information and examples,
see Roles.
File-based role management
editApart from the Role Management APIs, roles can also be defined in local
roles.yml
file located in ES_PATH_CONF
. This is a YAML file where each
role definition is keyed by its name.
If the same role name is used in the roles.yml
file and through the
Role Management APIs, the role found in the file will be used.
While the Role Management APIs is the preferred mechanism to define roles,
using the roles.yml
file becomes useful if you want to define fixed roles that
no one (beside an administrator having physical access to the Elasticsearch nodes)
would be able to change. Please note however, that the roles.yml
file is provided as a
minimal administrative function and is not intended to cover and be used
to define roles for all use cases.
You cannot view, edit, or remove any roles that are defined in roles.yml
by
using the role management UI or the
role management APIs.
The roles.yml
file is managed locally by the node and is not globally by the
cluster. This means that with a typical multi-node cluster, the exact same
changes need to be applied on each and every node in the cluster.
A safer approach would be to apply the change on one of the nodes and have the
roles.yml
distributed/copied to all other nodes in the cluster (either
manually or using a configuration management system such as Puppet or Chef).
The following snippet shows an example of the roles.yml
file configuration:
click_admins: run_as: [ 'clicks_watcher_1' ] cluster: [ 'monitor' ] indices: - names: [ 'events-*' ] privileges: [ 'read' ] field_security: grant: ['category', '@timestamp', 'message' ] query: '{"match": {"category": "click"}}'
Elasticsearch continuously monitors the roles.yml
file and automatically picks
up and applies any changes to it.