Role-based Access Control

Shield provides role-based access control (RBAC) for Elasticsearch. RBAC enables you to control what actions users can perform on an Elasticsearch cluster. By default, all actions are restricted. The roles assigned to a user specify the actions that the user can perform.

Roles and Privileges

edit

A role is a named set of privileges. The privileges specified within a role control what Elasticsearch actions the role grants access to:

Cluster privileges grant access to cluster-wide administrative and monitoring actions.
Index privileges grant access to specific indices in the cluster, including data access and administrative and monitoring actions.
Run As privilege enables an authenticated user to submit requests on behalf of another user. For more information, see Submitting Requests for Other Users.

For example, you could define a logging administrator role that allows logging admins to perform all actions on indices whose names match the pattern logs-*.

Defining roles and assigning roles to users requires the manage_security privilege. See Privileges for the complete list of cluster and indices privileges you can assign in a role.

Users can be associated with any number of roles. For more information about assigning roles to users, see Setting Up Authentication.

« Migration tool for users and roles Managing Roles »