Create or update application privileges API
editCreate or update application privileges API
editAdds or updates application privileges.
Prerequisites
editTo use this API, you must have either:
-
the
manage_securitycluster privilege (or a greater privilege such asall); or - the "Manage Application Privileges" global privilege for the application being referenced in the request
Description
editThis API creates or updates privileges. To remove privileges, use the delete application privilege API.
For more information, see Application privileges.
To check a user’s application privileges, use the has privileges API.
Request body
editThe body is a JSON object where the names of the fields are the application names and the value of each field is an object. The fields in this inner object are the names of the privileges and each value is a JSON object that includes the following fields:
-
actions - (array-of-string) A list of action names that are granted by this privilege. This field must exist and cannot be an empty array.
-
metadata -
(object) Optional meta-data. Within the
metadataobject, keys that begin with_are reserved for system usage.
Validation
edit- Application names
-
Application names are formed from a prefix, with an optional suffix that conform to the following rules:
- The prefix must begin with a lowercase ASCII letter
- The prefix must contain only ASCII letters or digits
- The prefix must be at least 3 characters long
-
If the suffix exists, it must begin with either
-or_ -
The suffix cannot contain any of the following characters:
\,/,*,?,",<,>,|,,,* - No part of the name can contain whitespace.
- Privilege names
-
Privilege names must begin with a lowercase ASCII letter and must contain
only ASCII letters and digits along with the characters
_,-and. - Action names
-
Action names can contain any number of printable ASCII characters and must
contain at least one of the following characters:
/*,:
Response body
editA successful call returns a JSON structure that shows whether the privilege has been created or updated.
Examples
editTo add a single privilege, submit a PUT or POST request to the
/_security/privilege/ endpoint. For example:
resp = client.security.put_privileges(
privileges={
"myapp": {
"read": {
"actions": [
"data:read/*",
"action:login"
],
"metadata": {
"description": "Read access to myapp"
}
}
}
},
)
print(resp)
const response = await client.security.putPrivileges({
privileges: {
myapp: {
read: {
actions: ["data:read/*", "action:login"],
metadata: {
description: "Read access to myapp",
},
},
},
},
});
console.log(response);
PUT /_security/privilege
{
"myapp": {
"read": {
"actions": [
"data:read/*" ,
"action:login" ],
"metadata": {
"description": "Read access to myapp"
}
}
}
}
|
These strings have significance within the "myapp" application. Elasticsearch does not assign any meaning to them. |
|
|
The use of a wildcard here ( |
|
|
The metadata object is optional. |
To add multiple privileges, submit a POST request to the
/_security/privilege/ endpoint. For example:
resp = client.security.put_privileges(
privileges={
"app01": {
"read": {
"actions": [
"action:login",
"data:read/*"
]
},
"write": {
"actions": [
"action:login",
"data:write/*"
]
}
},
"app02": {
"all": {
"actions": [
"*"
]
}
}
},
)
print(resp)
const response = await client.security.putPrivileges({
privileges: {
app01: {
read: {
actions: ["action:login", "data:read/*"],
},
write: {
actions: ["action:login", "data:write/*"],
},
},
app02: {
all: {
actions: ["*"],
},
},
},
});
console.log(response);
PUT /_security/privilege
{
"app01": {
"read": {
"actions": [ "action:login", "data:read/*" ]
},
"write": {
"actions": [ "action:login", "data:write/*" ]
}
},
"app02": {
"all": {
"actions": [ "*" ]
}
}
}
A successful call returns a JSON structure that shows whether the privileges have been created or updated.
{
"app02": {
"all": {
"created": true
}
},
"app01": {
"read": {
"created": true
},
"write": {
"created": true
}
}
}