OpenSearch/x-pack/docs/en/rest-api/security/get-roles.asciidoc

94 lines
2.2 KiB
Plaintext
Raw Normal View History

[role="xpack"]
[[security-api-get-role]]
=== Get roles API
2018-12-20 13:23:28 -05:00
++++
<titleabbrev>Get roles</titleabbrev>
++++
Retrieves roles in the native realm.
[[security-api-get-role-request]]
==== {api-request-title}
`GET /_security/role` +
`GET /_security/role/<name>` +
[[security-api-get-role-prereqs]]
==== {api-prereq-title}
* To use this API, you must have at least the `manage_security` cluster
privilege.
[[security-api-get-role-desc]]
==== {api-description-title}
For more information about the native realm, see
{stack-ov}/realms.html[Realms] and <<configuring-native-realm>>.
[[security-api-get-role-path-params]]
==== {api-path-parms-title}
`name`::
(Optional, string) The name of the role. You can specify multiple roles as a
comma-separated list. If you do not specify this parameter, the API
returns information about all roles.
[[security-api-get-role-response-body]]
==== {api-response-body-title}
A successful call returns an array of roles with the JSON representation of the
role.
[[security-api-get-role-response-codes]]
==== {api-response-codes-title}
If the role is not defined in the native realm, the request returns 404.
[[security-api-get-role-example]]
==== {api-examples-title}
The following example retrieves information about the `my_admin_role` role in
the native realm:
[source,console]
--------------------------------------------------
GET /_security/role/my_admin_role
--------------------------------------------------
// TEST[setup:admin_role]
[source,console-result]
--------------------------------------------------
{
"my_admin_role": {
"cluster" : [ "all" ],
"indices" : [
{
"names" : [ "index1", "index2" ],
"privileges" : [ "all" ],
Permission for restricted indices (#37577) This grants the capability to grant privileges over certain restricted indices (.security and .security-6 at the moment). It also removes the special status of the superuser role. IndicesPermission.Group is extended by adding the `allow_restricted_indices` boolean flag. By default the flag is false. When it is toggled, you acknowledge that the indices under the scope of the permission group can cover the restricted indices as well. Otherwise, by default, restricted indices are ignored when granting privileges, thus rendering them hidden for authorization purposes. This effectively adds a confirmation "check-box" for roles that might grant privileges to restricted indices. The "special status" of the superuser role has been removed and coded as any other role: ``` new RoleDescriptor("superuser", new String[] { "all" }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() .indices("*") .privileges("all") .allowRestrictedIndices(true) // this ----^ .build() }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() .application("*") .privileges("*") .resources("*") .build() }, null, new String[] { "*" }, MetadataUtils.DEFAULT_RESERVED_METADATA, Collections.emptyMap()); ``` In the context of the Backup .security work, this allows the creation of a "curator role" that would permit listing (get settings) for all indices (including the restricted ones). That way the curator role would be able to ist and snapshot all indices, but not read or restore any of them. Supersedes #36765 Relates #34454
2019-01-20 16:19:40 -05:00
"allow_restricted_indices" : false,
"field_security" : {
"grant" : [ "title", "body" ]}
Permission for restricted indices (#37577) This grants the capability to grant privileges over certain restricted indices (.security and .security-6 at the moment). It also removes the special status of the superuser role. IndicesPermission.Group is extended by adding the `allow_restricted_indices` boolean flag. By default the flag is false. When it is toggled, you acknowledge that the indices under the scope of the permission group can cover the restricted indices as well. Otherwise, by default, restricted indices are ignored when granting privileges, thus rendering them hidden for authorization purposes. This effectively adds a confirmation "check-box" for roles that might grant privileges to restricted indices. The "special status" of the superuser role has been removed and coded as any other role: ``` new RoleDescriptor("superuser", new String[] { "all" }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() .indices("*") .privileges("all") .allowRestrictedIndices(true) // this ----^ .build() }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() .application("*") .privileges("*") .resources("*") .build() }, null, new String[] { "*" }, MetadataUtils.DEFAULT_RESERVED_METADATA, Collections.emptyMap()); ``` In the context of the Backup .security work, this allows the creation of a "curator role" that would permit listing (get settings) for all indices (including the restricted ones). That way the curator role would be able to ist and snapshot all indices, but not read or restore any of them. Supersedes #36765 Relates #34454
2019-01-20 16:19:40 -05:00
}
],
"applications" : [ ],
"run_as" : [ "other_user" ],
"metadata" : {
"version" : 1
},
"transient_metadata": {
"enabled": true
}
Permission for restricted indices (#37577) This grants the capability to grant privileges over certain restricted indices (.security and .security-6 at the moment). It also removes the special status of the superuser role. IndicesPermission.Group is extended by adding the `allow_restricted_indices` boolean flag. By default the flag is false. When it is toggled, you acknowledge that the indices under the scope of the permission group can cover the restricted indices as well. Otherwise, by default, restricted indices are ignored when granting privileges, thus rendering them hidden for authorization purposes. This effectively adds a confirmation "check-box" for roles that might grant privileges to restricted indices. The "special status" of the superuser role has been removed and coded as any other role: ``` new RoleDescriptor("superuser", new String[] { "all" }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() .indices("*") .privileges("all") .allowRestrictedIndices(true) // this ----^ .build() }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() .application("*") .privileges("*") .resources("*") .build() }, null, new String[] { "*" }, MetadataUtils.DEFAULT_RESERVED_METADATA, Collections.emptyMap()); ``` In the context of the Backup .security work, this allows the creation of a "curator role" that would permit listing (get settings) for all indices (including the restricted ones). That way the curator role would be able to ist and snapshot all indices, but not read or restore any of them. Supersedes #36765 Relates #34454
2019-01-20 16:19:40 -05:00
}
}
--------------------------------------------------
To retrieve all roles, omit the role name:
[source,console]
--------------------------------------------------
GET /_security/role
--------------------------------------------------
// TEST[continued]