Granting Privileges for Index Aliases
editGranting Privileges for Index Aliases
editYou grant access to index aliases the same way you grant access to particular indexes. To perform an action against an index alias, the user must have privileges for that alias. Access to aliased indices does not automatically confer access to the alias.
Aliases can have a filter that specifies a subset of the documents in the physical index. These filters are not always applied and should not be used in place of document level security.
For example, if you have index called 2016
and an alias that points to it
called current_year
, to give a user permission to use the alias you could
assign the following role:
{ "current_year_read": { "cluster":[], "indices":[{ "names":["current_year"], "privileges":["read"]}], "run_as":[] } }
Granting read access to the 2016
index does not enable a user to use the
current_year
alias.
Managing Aliases
editPerforming CRUD operations on an index alias requires the manage
privilege on both
the targeted indices and the alias. Adding an alias when creating an index also
requires the create_index
privilege.
For example, the following role would enable a user to create an alias called
current_year
for the index named 2016
through the
dedicated aliases API:
{ "admin": { "cluster":[], "indices":[{ "names":["2016", "current_year"], "privileges":["manage"]}], "run_as":[] } }