- Shield Reference for 2.x and 1.x:
- Introduction
- Getting Started with Shield
- How Shield Works
- Installing Shield
- Setting Up User Authentication
- Managing Users in an esusers Realm
- Configuring Role-based Access Control
- Configuring Auditing
- Securing Communications with Encryption and IP Filtering
- Configuring Clients and Integrations
- Managing Shield Licenses
- Example Shield Deployments
- Reference
- Limitations
- Troubleshooting
- Setting Up a Certificate Authority
- Release Notes
Configuring Role-based Access Control
editConfiguring Role-based Access Control
editShield introduces the concept of action authorization to Elasticsearch. Action authorization restricts the actions users can execute on the cluster. Shield implements authorization as Role Based Access Control (RBAC), where all actions are restricted by default. Users are associated with roles that define a set of actions that are allowed for those users.
Roles, Permissions and Privileges
editPrivileges are actions or a set of actions that users may execute in Elasticsearch. For example, the ability to run a query is a privilege.
A permission is a set of privileges associated with one or more secured objects. For example, a permission could allow
querying or reading all documents of index i1. There are two types of secured objects in Elasticsearch -
cluster and indices. Cluster permissions grant access to cluster-wide administrative and monitoring actions. Index
permissions grant data access, including administrative and monitoring actions on specific indices in the cluster.
A role is a named set of permissions. For example, you could define a role as a logging administrator. The logging
administrator is allowed to take all actions on indices named logs-*.
As an administrator, you will need to define the roles that you want to use, then assign users to the roles.
On this page