Role-based Access Control
editRole-based Access Control
editShield provides role-based access control (RBAC) for Elasticsearch. RBAC enables you to control what actions users can perform on an Elasticsearch cluster. By default, all actions are restricted. The roles assigned to a user specify the actions that the user can perform.
Roles and Privileges
editA role is a named set of privileges. The privileges specified within a role control what Elasticsearch actions the role grants access to:
- Cluster privileges grant access to cluster-wide administrative and monitoring actions.
- Index privileges grant access to specific indices in the cluster, including data access and administrative and monitoring actions.
- Run As privilege enables an authenticated user to submit requests on behalf of another user. For more information, see Submitting Requests for Other Users.
For example, you could define a logging administrator role that allows logging admins
to perform all actions on indices whose names match the pattern logs-*
.
Defining roles and assigning roles to users requires the manage_security
privilege.
See Privileges for the complete list of cluster and indices privileges you can
assign in a role.
Users can be associated with any number of roles. For more information about assigning roles to users, see Setting Up Authentication.