Create or update roles API

edit

Adds and updates roles in the native realm.

Request

edit

POST /_security/role/<name>

PUT /_security/role/<name>

Prerequisites

edit
  • To use this API, you must have at least the manage_security cluster privilege.

Description

edit

The role management APIs are generally the preferred way to manage roles, rather than using file-based role management. The create or update roles API cannot update roles that are defined in roles files.

Path parameters

edit
name
(string) The name of the role.

Request body

edit

The following parameters can be specified in the body of a PUT or POST request and pertain to adding a role:

applications

(list) A list of application privilege entries.

application (required)
(string) The name of the application to which this entry applies
privileges
(list) A list of strings, where each element is the name of an application privilege or action.
resources
(list) A list resources to which the privileges are applied.
cluster
(list) A list of cluster privileges. These privileges define the cluster level actions that users with this role are able to execute.
description
(string) A description of the role. The maximum length is 1000 chars.
global
(object) An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges. This field is optional.
indices

(list) A list of indices permissions entries.

field_security
(object) The document fields that the owners of the role have read access to. For more information, see Setting up field and document level security.
names (required)
(list) A list of indices (or index name patterns) to which the permissions in this entry apply.
privileges(required)
(list) The index level privileges that the owners of the role have on the specified indices.
query
A search query that defines the documents the owners of the role have read access to. A document within the specified indices must match this query in order for it to be accessible by the owners of the role.
metadata
(object) Optional meta-data. Within the metadata object, keys that begin with _ are reserved for system usage.
run_as
(list) A list of users that the owners of this role can impersonate. For more information, see Submitting requests on behalf of other users.
remote_indices

(list) A list of remote indices permissions entries.

Remote indices are effective for remote clusters configured with the API key based model. They have no effect for remote clusters configured with the certificate based model.

clusters (required)
(list) A list of cluster aliases to which the permissions in this entry apply.
field_security
(object) The document fields that the owners of the role have read access to. For more information, see Setting up field and document level security.
names (required)
(list) A list of indices (or index name patterns) on the remote clusters (specified with clusters) to which the permissions in this entry apply.
privileges(required)
(list) The index level privileges that the owners of the role have on the specified indices.
query
A search query that defines the documents the owners of the role have read access to. A document within the specified indices must match this query in order for it to be accessible by the owners of the role.
remote_cluster

(list) A list of remote cluster permissions entries.

Remote cluster permissions are effective for remote clusters configured with the API key based model. They have no effect for remote clusters configured with the certificate based model.

clusters (required)
(list) A list of cluster aliases to which the permissions in this entry apply.
privileges(required)
(list) The cluster level privileges that the owners of the role have in the specified clusters. Note - only a subset of the cluster privileges are supported for remote clusters. The builtin privileges API can be used to determine which privileges are allowed per version.

For more information, see Defining roles.

Examples

edit

The following example adds a role called my_admin_role:

resp = client.security.put_role(
    name="my_admin_role",
    description="Grants full access to all management features within the cluster.",
    cluster=[
        "all"
    ],
    indices=[
        {
            "names": [
                "index1",
                "index2"
            ],
            "privileges": [
                "all"
            ],
            "field_security": {
                "grant": [
                    "title",
                    "body"
                ]
            },
            "query": "{\"match\": {\"title\": \"foo\"}}"
        }
    ],
    applications=[
        {
            "application": "myapp",
            "privileges": [
                "admin",
                "read"
            ],
            "resources": [
                "*"
            ]
        }
    ],
    run_as=[
        "other_user"
    ],
    metadata={
        "version": 1
    },
)
print(resp)
const response = await client.security.putRole({
  name: "my_admin_role",
  description:
    "Grants full access to all management features within the cluster.",
  cluster: ["all"],
  indices: [
    {
      names: ["index1", "index2"],
      privileges: ["all"],
      field_security: {
        grant: ["title", "body"],
      },
      query: '{"match": {"title": "foo"}}',
    },
  ],
  applications: [
    {
      application: "myapp",
      privileges: ["admin", "read"],
      resources: ["*"],
    },
  ],
  run_as: ["other_user"],
  metadata: {
    version: 1,
  },
});
console.log(response);
POST /_security/role/my_admin_role
{
  "description": "Grants full access to all management features within the cluster.",
  "cluster": ["all"],
  "indices": [
    {
      "names": [ "index1", "index2" ],
      "privileges": ["all"],
      "field_security" : { // optional
        "grant" : [ "title", "body" ]
      },
      "query": "{\"match\": {\"title\": \"foo\"}}" // optional
    }
  ],
  "applications": [
    {
      "application": "myapp",
      "privileges": [ "admin", "read" ],
      "resources": [ "*" ]
    }
  ],
  "run_as": [ "other_user" ], // optional
  "metadata" : { // optional
    "version" : 1
  }
}

A successful call returns a JSON structure that shows whether the role has been created or updated.

{
  "role": {
    "created": true 
  }
}

When an existing role is updated, created is set to false.

The following example configures a role that can run SQL in JDBC:

resp = client.security.put_role(
    name="cli_or_drivers_minimal",
    cluster=[
        "cluster:monitor/main"
    ],
    indices=[
        {
            "names": [
                "test"
            ],
            "privileges": [
                "read",
                "indices:admin/get"
            ]
        }
    ],
)
print(resp)
const response = await client.security.putRole({
  name: "cli_or_drivers_minimal",
  cluster: ["cluster:monitor/main"],
  indices: [
    {
      names: ["test"],
      privileges: ["read", "indices:admin/get"],
    },
  ],
});
console.log(response);
POST /_security/role/cli_or_drivers_minimal
{
  "cluster": ["cluster:monitor/main"],
  "indices": [
    {
      "names": ["test"],
      "privileges": ["read", "indices:admin/get"]
    }
  ]
}

The following example configures a role with remote indices and remote cluster privileges for a remote cluster:

resp = client.security.put_role(
    name="only_remote_access_role",
    remote_indices=[
        {
            "clusters": [
                "my_remote"
            ],
            "names": [
                "logs*"
            ],
            "privileges": [
                "read",
                "read_cross_cluster",
                "view_index_metadata"
            ]
        }
    ],
    remote_cluster=[
        {
            "clusters": [
                "my_remote"
            ],
            "privileges": [
                "monitor_stats"
            ]
        }
    ],
)
print(resp)
const response = await client.security.putRole({
  name: "only_remote_access_role",
  remote_indices: [
    {
      clusters: ["my_remote"],
      names: ["logs*"],
      privileges: ["read", "read_cross_cluster", "view_index_metadata"],
    },
  ],
  remote_cluster: [
    {
      clusters: ["my_remote"],
      privileges: ["monitor_stats"],
    },
  ],
});
console.log(response);
POST /_security/role/only_remote_access_role
{
  "remote_indices": [
    {
      "clusters": ["my_remote"], 
      "names": ["logs*"], 
      "privileges": ["read", "read_cross_cluster", "view_index_metadata"] 
    }
  ],
  "remote_cluster": [
    {
      "clusters": ["my_remote"], 
      "privileges": ["monitor_stats"]  
    }
  ]
}

The remote indices and remote cluster privileges apply to remote cluster with the alias my_remote.

Privileges are granted for indices matching pattern logs* on the remote cluster (my_remote).

The actual index privileges granted for logs* on my_remote.

The actual cluster privileges granted for my_remote. Note - only a subset of the cluster privileges are supported for remote clusters.