Defining Roles
editDefining Roles
editRoles are defined in the role definition file roles.yml
located in ES_HOME/config/shield
.
This is a YAML file where each entry defines the unique role name and the cluster and indices permissions associated
with it.
The roles.yml
file is managed locally by the node and is not managed globally by the cluster. This means that
with a typical multi-node cluster, the exact same changes need to be applied on each and every node in the cluster.
A safer approach would be to apply the change on one of the nodes and have the roles.yml
distributed/copied to
all other nodes in the cluster (either manually or using a configuration management system such as Puppet or Chef).
The following snippet shows an example configuration:
# All cluster rights # All operations on all indices admin: cluster: all indices: '*': all # Monitoring cluster privileges # All operations on all indices power_user: cluster: monitor indices: '*': all # Only read operations on indices user: indices: '*': read # Only read operations on indices named events_* events_user: indices: 'events_*': read
The above example defines these roles:
|
Has full access (all privileges) on the cluster and full access on all indices in the cluster. |
|
Has monitoring-only access on the cluster, enabling the user to request cluster metrics, information, and settings, without the ability to update settings. This user also has full access on all indices in the cluster. |
|
Cannot update or monitor the cluster. Has read-only access to all indices in the cluster. |
|
Has read-only access to all indices with the |
See the complete list of available cluster and indices privileges.