OpenSearch/x-pack/docs/en/rest-api/security/get-roles.asciidoc

[role="xpack"]
[[security-api-get-role]]
=== Get roles API
++++
<titleabbrev>Get roles</titleabbrev>
++++

Retrieves roles in the native realm.

==== Request

`GET /_security/role` +

`GET /_security/role/<name>` +

==== Description

For more information about the native realm, see 
{stack-ov}/realms.html[Realms] and <<configuring-native-realm>>. 

==== Path Parameters

`name`::
  (string) The name of the role. You can specify multiple roles as a 
  comma-separated list. If you do not specify this parameter, the API 
  returns information about all roles.

//==== Request Body

==== Authorization

To use this API, you must have at least the `manage_security` cluster
privilege.


==== Examples

The following example retrieves information about the `my_admin_role` role in 
the native realm:

[source,js]
--------------------------------------------------
GET /_security/role/my_admin_role
--------------------------------------------------
// CONSOLE
// TEST[setup:admin_role]

A successful call returns an array of roles with the JSON representation of the
role. If the role is not defined in the native realm, the request returns 404.

[source,js]
--------------------------------------------------
{
  "my_admin_role": {
    "cluster" : [ "all" ],
    "indices" : [
      {
        "names" : [ "index1", "index2" ],
        "privileges" : [ "all" ],
        "allow_restricted_indices" : false,
        "field_security" : {
          "grant" : [ "title", "body" ]}
      }
    ],
    "applications" : [ ],
    "run_as" : [ "other_user" ],
    "metadata" : {
      "version" : 1
    },
    "transient_metadata": {
      "enabled": true
    }
  }
}
--------------------------------------------------
// TESTRESPONSE

To retrieve all roles, omit the role name:

[source,js]
--------------------------------------------------
GET /_security/role
--------------------------------------------------
// CONSOLE
// TEST[continued]

NOTE: If single role is requested, that role is returned as the response. When 
requesting multiple roles, an object is returned holding the found roles, each 
keyed by the relevant role name.
[DOCS] Splits the roles API documentation into multiple pages (#32794) 2018-08-17 09:18:08 -07:00			`[role="xpack"]`
			`[[security-api-get-role]]`
			`=== Get roles API`
[DOCS] Synchs titles of X-Pack APIs 2018-12-20 10:23:28 -08:00			`++++`
			`<titleabbrev>Get roles</titleabbrev>`
			`++++`
[DOCS] Splits the roles API documentation into multiple pages (#32794) 2018-08-17 09:18:08 -07:00
			`Retrieves roles in the native realm.`

			`==== Request`

Deprecate /_xpack/security/* in favor of /_security/* (#36293) * This commit is part of our plan to deprecate and ultimately remove the use of _xpack in the REST APIs. - REST API docs - HLRC docs and doc tests - Handle REST actions with deprecation warnings - Changed endpoints in rest-api-spec and relevant file names 2018-12-11 11:13:10 +02:00			`GET /_security/role` +
[DOCS] Splits the roles API documentation into multiple pages (#32794) 2018-08-17 09:18:08 -07:00
Deprecate /_xpack/security/* in favor of /_security/* (#36293) * This commit is part of our plan to deprecate and ultimately remove the use of _xpack in the REST APIs. - REST API docs - HLRC docs and doc tests - Handle REST actions with deprecation warnings - Changed endpoints in rest-api-spec and relevant file names 2018-12-11 11:13:10 +02:00			`GET /_security/role/<name>` +
[DOCS] Splits the roles API documentation into multiple pages (#32794) 2018-08-17 09:18:08 -07:00
			`==== Description`

			`For more information about the native realm, see`
			`{stack-ov}/realms.html[Realms] and <<configuring-native-realm>>.`

			`==== Path Parameters`

			`name`::
			`(string) The name of the role. You can specify multiple roles as a`
			`comma-separated list. If you do not specify this parameter, the API`
			`returns information about all roles.`

			`//==== Request Body`

			`==== Authorization`

			To use this API, you must have at least the `manage_security` cluster
			`privilege.`


			`==== Examples`

			The following example retrieves information about the `my_admin_role` role in
			`the native realm:`

			`[source,js]`
			`--------------------------------------------------`
Deprecate /_xpack/security/* in favor of /_security/* (#36293) * This commit is part of our plan to deprecate and ultimately remove the use of _xpack in the REST APIs. - REST API docs - HLRC docs and doc tests - Handle REST actions with deprecation warnings - Changed endpoints in rest-api-spec and relevant file names 2018-12-11 11:13:10 +02:00			`GET /_security/role/my_admin_role`
[DOCS] Splits the roles API documentation into multiple pages (#32794) 2018-08-17 09:18:08 -07:00			`--------------------------------------------------`
			`// CONSOLE`
			`// TEST[setup:admin_role]`

			`A successful call returns an array of roles with the JSON representation of the`
			`role. If the role is not defined in the native realm, the request returns 404.`

			`[source,js]`
			`--------------------------------------------------`
			`{`
			`"my_admin_role": {`
			`"cluster" : [ "all" ],`
			`"indices" : [`
			`{`
			`"names" : [ "index1", "index2" ],`
			`"privileges" : [ "all" ],`
Permission for restricted indices (#37577) This grants the capability to grant privileges over certain restricted indices (.security and .security-6 at the moment). It also removes the special status of the superuser role. IndicesPermission.Group is extended by adding the `allow_restricted_indices` boolean flag. By default the flag is false. When it is toggled, you acknowledge that the indices under the scope of the permission group can cover the restricted indices as well. Otherwise, by default, restricted indices are ignored when granting privileges, thus rendering them hidden for authorization purposes. This effectively adds a confirmation "check-box" for roles that might grant privileges to restricted indices. The "special status" of the superuser role has been removed and coded as any other role: ``` new RoleDescriptor("superuser", new String[] { "all" }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() .indices("") .privileges("all") .allowRestrictedIndices(true) // this ----^ .build() }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() .application("") .privileges("") .resources("") .build() }, null, new String[] { "*" }, MetadataUtils.DEFAULT_RESERVED_METADATA, Collections.emptyMap()); ``` In the context of the Backup .security work, this allows the creation of a "curator role" that would permit listing (get settings) for all indices (including the restricted ones). That way the curator role would be able to ist and snapshot all indices, but not read or restore any of them. Supersedes #36765 Relates #34454 2019-01-20 23:19:40 +02:00			`"allow_restricted_indices" : false,`
			`"field_security" : {`
[DOCS] Splits the roles API documentation into multiple pages (#32794) 2018-08-17 09:18:08 -07:00			`"grant" : [ "title", "body" ]}`
Permission for restricted indices (#37577) This grants the capability to grant privileges over certain restricted indices (.security and .security-6 at the moment). It also removes the special status of the superuser role. IndicesPermission.Group is extended by adding the `allow_restricted_indices` boolean flag. By default the flag is false. When it is toggled, you acknowledge that the indices under the scope of the permission group can cover the restricted indices as well. Otherwise, by default, restricted indices are ignored when granting privileges, thus rendering them hidden for authorization purposes. This effectively adds a confirmation "check-box" for roles that might grant privileges to restricted indices. The "special status" of the superuser role has been removed and coded as any other role: ``` new RoleDescriptor("superuser", new String[] { "all" }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() .indices("") .privileges("all") .allowRestrictedIndices(true) // this ----^ .build() }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() .application("") .privileges("") .resources("") .build() }, null, new String[] { "*" }, MetadataUtils.DEFAULT_RESERVED_METADATA, Collections.emptyMap()); ``` In the context of the Backup .security work, this allows the creation of a "curator role" that would permit listing (get settings) for all indices (including the restricted ones). That way the curator role would be able to ist and snapshot all indices, but not read or restore any of them. Supersedes #36765 Relates #34454 2019-01-20 23:19:40 +02:00			`}`
[DOCS] Splits the roles API documentation into multiple pages (#32794) 2018-08-17 09:18:08 -07:00			`],`
			`"applications" : [ ],`
			`"run_as" : [ "other_user" ],`
			`"metadata" : {`
			`"version" : 1`
			`},`
			`"transient_metadata": {`
			`"enabled": true`
			`}`
Permission for restricted indices (#37577) This grants the capability to grant privileges over certain restricted indices (.security and .security-6 at the moment). It also removes the special status of the superuser role. IndicesPermission.Group is extended by adding the `allow_restricted_indices` boolean flag. By default the flag is false. When it is toggled, you acknowledge that the indices under the scope of the permission group can cover the restricted indices as well. Otherwise, by default, restricted indices are ignored when granting privileges, thus rendering them hidden for authorization purposes. This effectively adds a confirmation "check-box" for roles that might grant privileges to restricted indices. The "special status" of the superuser role has been removed and coded as any other role: ``` new RoleDescriptor("superuser", new String[] { "all" }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder() .indices("") .privileges("all") .allowRestrictedIndices(true) // this ----^ .build() }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() .application("") .privileges("") .resources("") .build() }, null, new String[] { "*" }, MetadataUtils.DEFAULT_RESERVED_METADATA, Collections.emptyMap()); ``` In the context of the Backup .security work, this allows the creation of a "curator role" that would permit listing (get settings) for all indices (including the restricted ones). That way the curator role would be able to ist and snapshot all indices, but not read or restore any of them. Supersedes #36765 Relates #34454 2019-01-20 23:19:40 +02:00			`}`
[DOCS] Splits the roles API documentation into multiple pages (#32794) 2018-08-17 09:18:08 -07:00			`}`
			`--------------------------------------------------`
			`// TESTRESPONSE`

			`To retrieve all roles, omit the role name:`

			`[source,js]`
			`--------------------------------------------------`
Deprecate /_xpack/security/* in favor of /_security/* (#36293) * This commit is part of our plan to deprecate and ultimately remove the use of _xpack in the REST APIs. - REST API docs - HLRC docs and doc tests - Handle REST actions with deprecation warnings - Changed endpoints in rest-api-spec and relevant file names 2018-12-11 11:13:10 +02:00			`GET /_security/role`
[DOCS] Splits the roles API documentation into multiple pages (#32794) 2018-08-17 09:18:08 -07:00			`--------------------------------------------------`
			`// CONSOLE`
			`// TEST[continued]`

			`NOTE: If single role is requested, that role is returned as the response. When`
			`requesting multiple roles, an object is returned holding the found roles, each`
			`keyed by the relevant role name.`