Granting privileges for data streams and aliases
editGranting privileges for data streams and aliases
editElasticsearch security features allow you to secure operations executed against data streams and aliases.
Data stream privileges
editUse index privileges to control access to a data stream. Granting privileges on a data stream grants the same privileges on its backing indices.
For example, my-data-stream
consists of two backing indices:
.ds-my-data-stream-2099.03.07-000001
and
.ds-my-data-stream-2099.03.08-000002
.
A user is granted the read
privilege to my-data-stream
.
{ "names" : [ "my-data-stream" ], "privileges" : [ "read" ] }
Because the user is automatically granted the same privileges to the stream’s
backing indices, the user can retrieve a document directly from
.ds-my-data-stream-2099.03.08-000002
:
resp = client.get( index=".ds-my-data-stream-2099.03.08-000002", id="2", ) print(resp)
response = client.get( index: '.ds-my-data-stream-2099.03.08-000002', id: 2 ) puts response
const response = await client.get({ index: ".ds-my-data-stream-2099.03.08-000002", id: 2, }); console.log(response);
GET .ds-my-data-stream-2099.03.08-000002/_doc/2
Later my-data-stream
rolls over. This
creates a new backing index: .ds-my-data-stream-2099.03.09-000003
. Because the
user still has the read
privilege for my-data-stream
, the user can retrieve
documents directly from .ds-my-data-stream-2099.03.09-000003
:
resp = client.get( index=".ds-my-data-stream-2099.03.09-000003", id="2", ) print(resp)
response = client.get( index: '.ds-my-data-stream-2099.03.09-000003', id: 2 ) puts response
const response = await client.get({ index: ".ds-my-data-stream-2099.03.09-000003", id: 2, }); console.log(response);
GET .ds-my-data-stream-2099.03.09-000003/_doc/2
Alias privileges
editUse index privileges to control access to an alias. Privileges on an index or data stream do not grant privileges on its aliases. For information about managing aliases, see Aliases.
Don’t use filtered aliases in place of document level security. Elasticsearch doesn’t always apply alias filters.
For example, the current_year
alias points only to the 2015
index. A user is
granted the read
privilege for the 2015
index.
{ "names" : [ "2015" ], "privileges" : [ "read" ] }
When the user attempts to retrieve a document from the current_year
alias,
Elasticsearch rejects the request.
resp = client.get( index="current_year", id="1", ) print(resp)
response = client.get( index: 'current_year', id: 1 ) puts response
const response = await client.get({ index: "current_year", id: 1, }); console.log(response);
GET current_year/_doc/1
To retrieve documents from current_year
, the user must have the read
index
privilege for the alias.
{ "names" : [ "current_year" ], "privileges" : [ "read" ] }