- Shield Reference for 2.x and 1.x:
- Introduction
- Getting Started with Shield
- Installing Shield
- How Shield Works
- User Authentication
- How Authentication Works
- Enabling Anonymous Access [1.1.0] Added in 1.1.0.
- Native User Authentication
- LDAP User Authentication
- Active Directory User Authentication
- PKI User Authentication [1.3.0] Added in 1.3.0.
- File-based User Authentication
- Integrating with Other Authentication Systems
- Controlling the User Cache
- Migration tool for users and roles
- Role-based Access Control
- Auditing Security Events
- Securing Communications with Encryption and IP Filtering
- Configuring Clients and Integrations
- Managing Your License
- Example Shield Deployments
- Reference
- Limitations
- Troubleshooting
- Setting Up a Certificate Authority
- Release Notes
Role-based Access Control
editRole-based Access Control
editShield provides role-based access control (RBAC) for Elasticsearch. RBAC enables you to control what actions users can perform on an Elasticsearch cluster. By default, all actions are restricted. The roles assigned to a user specify the actions that the user can perform.
Roles and Privileges
editA role is a named set of privileges. The privileges specified within a role control what Elasticsearch actions the role grants access to:
- Cluster privileges grant access to cluster-wide administrative and monitoring actions.
- Index privileges grant access to specific indices in the cluster, including data access and administrative and monitoring actions.
- Run As privilege enables an authenticated user to submit requests on behalf of another user. For more information, see Submitting Requests for Other Users.
For example, you could define a logging administrator role that allows logging admins
to perform all actions on indices whose names match the pattern logs-*
.
Defining roles and assigning roles to users requires the manage_security
privilege.
See Privileges for the complete list of cluster and indices privileges you can
assign in a role.
Users can be associated with any number of roles. For more information about assigning roles to users, see Setting Up Authentication.
On this page