Movatterモバイル変換

[0]ホーム
URL:

Loading
  1. Elastic Docs/
  2. Deploy and manage/
  3. Users and roles/
  4. Cluster or deployment/
  5. User roles/
  6. Defining roles

Role structure

A role is defined by the following JSON structure:

  1. A list of usernames the owners of this role canimpersonate.

  2. A list of cluster privileges. These privileges define the cluster level actions users with this role are able to execute.

    This field is optional (missingcluster privileges effectively mean no cluster level permissions).

  3. An object defining global privileges. A global privilege is a form of cluster privilege that is request sensitive. A standard cluster privilege makes authorization decisions based solely on the action being executed. A global privilege also considers the parameters included in the request. Support for global privileges is currently limited to the management of application privileges. This field is optional.

  4. A list of indices permissions entries.

    This field is optional (missingindices privileges effectively mean no index level permissions).

  5. A list of application privilege entries. This field is optional.

  6. A list of indices permissions entries forremote clusters configured with the API key based model.

    This field is optional (missingremote_indices privileges effectively mean no index level permissions for any API key based remote clusters).

  7. A list of cluster permissions entries forremote clusters configured with the API key based model.

    This field is optional (missingremote_cluster privileges effectively means no additional cluster permissions for any API key based remote clusters).

  8. Metadata field associated with the role, such asmetadata.app_tag. Metadata is internally indexed as aflattened field type. This means that all sub-fields act likekeyword fields when querying and sorting. Metadata values can be simple values, but also lists and maps. This field is optional.

  9. A string value with the description text of the role. The maximum length of it is1000 chars. The field is internally indexed as atext field type (with default values for all parameters). This field is optional.

Note

Role names must be at least 1 and no more than 507 characters. They can contain alphanumeric characters (a-z,A-Z,0-9), spaces, punctuation, and printable symbols in theBasic Latin (ASCII) block. Leading or trailing whitespace is not allowed.

The following describes the structure of an indices permissions entry:

{  "names": [ ... ],  "privileges": [ ... ],  "field_security" : { ... },  "query": "...",  "allow_restricted_indices": false}
  1. A list of data streams, indices, and aliases to which the permissions in this entry apply. Supports wildcards (*).
  2. The index level privileges the owners of the role have on the associated data streams and indices specified in thenames argument.
  3. Specification for document fields the owners of the role have read access to. SeeSetting up field and document level security for details.
  4. A search query that defines the documents the owners of the role have read access to. A document within the associated data streams and indices must match this query in order for it to be accessible by the owners of the role.
  5. Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices.Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If however, for administrative purposes, you need to create a role with privileges covering restricted indices, you must set this field totrue (default isfalse), and then thenames field will cover the restricted indices as well.
Using wildcards and regex

Thenames parameter accepts wildcard and regular expressions that may refer to multiple data streams, indices, and aliases.

  • Wildcard (default): Simple wildcard matching where* is a placeholder for zero or more characters,? is a placeholder for a single character and\ may be used as an escape character.
  • Regular Expressions: A more powerful syntax for matching more complex patterns. This regular expression is based on Lucene’s regexp automaton syntax. To enable this syntax, it must be wrapped within a pair of forward slashes (/). Any pattern starting with/ and not ending with/ is considered to be malformed.
"foo-bar":"foo-*":"logstash-201?-*":"/.*-201[0-9]-.*/":"/foo":
  1. Match the literalfoo-bar
  2. Match anything beginning with "foo-"
  3. ? matches any one character
  4. Use a regex to match anything containing 2010-2019
  5. syntax error - missing final/

The following describes the structure of the global privileges entry:

{  "application": {    "manage": {      "applications": [ ... ]    }  },  "profile": {    "write": {      "applications": [ ... ]    }  }}
  1. The privilege for the ability to manage application privileges
  2. The list of application names that may be managed. This list supports wildcards (e.g."myapp-*") and regular expressions (e.g."/app[0-9]*/")
  3. The privilege for the ability to write theaccess anddata of any user profile
  4. The list of names, wildcards and regular expressions to which the write privilege is restricted to

The following describes the structure of an application privileges entry:

{  "application": "my_app",  "privileges": [ ... ],  "resources": [ ... ]}
  1. The name of the application.
  2. The list of the names of the application privileges to grant to this role.
  3. The resources to which those privileges apply. These are handled in the same way as index name pattern inindices permissions. These resources do not have any special meaning to the Elasticsearch security features.

For details about the validation rules for these fields, see theadd application privileges API.

A role may refer to application privileges that do not exist - that is, they have not yet been defined through the add application privileges API (or they were defined, but have since been deleted). In this case, the privilege has no effect, and will not grant any actions in thehas privileges API.

Forremote clusters configured with the API key based model, remote indices privileges can be used to specify desired indices privileges for matching remote clusters. The final effective index privileges will be an intersection of the remote indices privileges and thecross-cluster API key's indices privileges.

Note

Remote indices are effective for remote clusters configured with the API key based model. They have no effect for remote clusters configured with the certificate based model.

The remote indices privileges entry has an extra mandatoryclusters field compared to anindices privileges entry. Otherwise the two have identical structure. The following describes the structure of a remote indices permissions entry:

{  "clusters": [ ... ],  "names": [ ... ],  "privileges": [ ... ],  "field_security" : { ... },  "query": "...",  "allow_restricted_indices": false}
  1. A list of remote cluster aliases. It supports literal strings as well aswildcards andregular expressions. This field is required.
  2. A list of data streams, indices, and aliases to which the permissions in this entry apply. Supports wildcards (*).
  3. The index level privileges the owners of the role have on the associated data streams and indices specified in thenames argument.
  4. Specification for document fields the owners of the role have read access to. SeeSetting up field and document level security for details.
  5. A search query that defines the documents the owners of the role have read access to. A document within the associated data streams and indices must match this query in order for it to be accessible by the owners of the role.
  6. Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices.Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If however, for administrative purposes, you need to create a role with privileges covering restricted indices, you must set this field totrue (default isfalse), and then thenames field will cover the restricted indices as well.

Forremote clusters configured with the API key based model, remote cluster privileges can be used to specify additional cluster privileges for matching remote clusters.

Note

Remote cluster privileges are only effective for remote clusters configured with the API key based model. They have no effect on remote clusters configured with the certificate based model.

The following describes the structure of a remote cluster permissions entry:

{  "clusters": [ ... ],  "privileges": [ ... ]}
  1. A list of remote cluster aliases. It supports literal strings as well aswildcards andregular expressions. This field is required.
  2. The cluster level privileges for the remote cluster. The allowed values here are a subset of thecluster privileges. Thebuiltin privileges API can be used to determine which privileges are allowed here. This field is required.

The following snippet shows an example definition of aclicks_admin role:

POST /_security/role/clicks_admin{  "run_as": [ "clicks_watcher_1" ],  "cluster": [ "monitor" ],  "indices": [    {      "names": [ "events-*" ],      "privileges": [ "read" ],      "field_security" : {        "grant" : [ "category", "@timestamp", "message" ]      },      "query": "{\"match\": {\"category\": \"click\"}}"    }  ]}

Based on the above definition, users owning theclicks_admin role can:

  • Impersonate theclicks_watcher_1 user and execute requests on its behalf.
  • Monitor the Elasticsearch cluster
  • Read data from all indices prefixed withevents-
  • Within these indices, only read the events of theclick category
  • Within these document, only read thecategory,@timestamp andmessage fields.
Tip

View a complete list of availablecluster and indices privileges.

[8]ページ先頭
©2009-2026 Movatter.jp