163 lines
7.7 KiB
Plaintext
163 lines
7.7 KiB
Plaintext
|
[role="xpack"]
|
||
|
[[built-in-roles]]
|
||
|
=== Built-in roles
|
||
|
|
||
|
The {stack-security-features} apply a default role to all users, including
|
||
|
<<anonymous-access, anonymous users>>. The default role enables users to access
|
||
|
the authenticate endpoint, change their own passwords, and get information about
|
||
|
themselves.
|
||
|
|
||
|
There is also a set of built-in roles you can explicitly assign to users. These
|
||
|
roles have a fixed set of privileges and cannot be updated.
|
||
|
|
||
|
[[built-in-roles-apm-system]] `apm_system` ::
|
||
|
Grants access necessary for the APM system user to send system-level data
|
||
|
(such as monitoring) to {es}.
|
||
|
|
||
|
[[built-in-roles-apm-user]] `apm_user` ::
|
||
|
Grants the privileges required for APM users (such as `read` and
|
||
|
`view_index_metadata` privileges on the `apm-*` and `.ml-anomalies*` indices).
|
||
|
|
||
|
[[built-in-roles-beats-admin]] `beats_admin` ::
|
||
|
Grants access to the `.management-beats` index, which contains configuration
|
||
|
information for the Beats.
|
||
|
|
||
|
[[built-in-roles-beats-system]] `beats_system` ::
|
||
|
Grants access necessary for the Beats system user to send system-level data
|
||
|
(such as monitoring) to {es}.
|
||
|
+
|
||
|
--
|
||
|
[NOTE]
|
||
|
===============================
|
||
|
* This role should not be assigned to users as the granted permissions may
|
||
|
change between releases.
|
||
|
* This role does not provide access to the beats indices and is not
|
||
|
suitable for writing beats output to {es}.
|
||
|
===============================
|
||
|
|
||
|
--
|
||
|
|
||
|
[[built-in-roles-data-frame-transforms-admin]] `data_frame_transforms_admin` ::
|
||
|
Grants `manage_data_frame_transforms` cluster privileges, which enable you to
|
||
|
manage {transforms}. This role also includes all
|
||
|
{kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}.
|
||
|
|
||
|
[[built-in-roles-data-frame-transforms-user]] `data_frame_transforms_user` ::
|
||
|
Grants `monitor_data_fram_transforms` cluster privileges, which enable you to
|
||
|
use {transforms}. This role also includes all
|
||
|
{kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}.
|
||
|
|
||
|
[[built-in-roles-ingest-user]] `ingest_admin` ::
|
||
|
Grants access to manage *all* index templates and *all* ingest pipeline configurations.
|
||
|
+
|
||
|
NOTE: This role does *not* provide the ability to create indices; those privileges
|
||
|
must be defined in a separate role.
|
||
|
|
||
|
[[built-in-roles-kibana-dashboard]] `kibana_dashboard_only_user` ::
|
||
|
Grants access to the {kib} Dashboard and read-only permissions to Kibana.
|
||
|
This role does not have access to editing tools in {kib}. For more
|
||
|
information, see
|
||
|
{kibana-ref}/xpack-dashboard-only-mode.html[{kib} Dashboard Only Mode].
|
||
|
|
||
|
[[built-in-roles-kibana-system]] `kibana_system` ::
|
||
|
Grants access necessary for the {kib} system user to read from and write to the
|
||
|
{kib} indices, manage index templates and tokens, and check the availability of
|
||
|
the {es} cluster. This role grants read access to the `.monitoring-*` indices
|
||
|
and read and write access to the `.reporting-*` indices. For more information,
|
||
|
see {kibana-ref}/using-kibana-with-security.html[Configuring Security in {kib}].
|
||
|
+
|
||
|
NOTE: This role should not be assigned to users as the granted permissions may
|
||
|
change between releases.
|
||
|
|
||
|
[[built-in-roles-kibana-user]] `kibana_user`::
|
||
|
Grants access to all features in {kib}. For more information on Kibana authorization,
|
||
|
see {kibana-ref}/xpack-security-authorization.html[Kibana Authorization].
|
||
|
|
||
|
[[built-in-roles-logstash-admin]] `logstash_admin` ::
|
||
|
Grants access to the `.logstash*` indices for managing configurations.
|
||
|
|
||
|
[[built-in-roles-logstash-system]] `logstash_system` ::
|
||
|
Grants access necessary for the Logstash system user to send system-level data
|
||
|
(such as monitoring) to {es}. For more information, see
|
||
|
{logstash-ref}/ls-security.html[Configuring Security in Logstash].
|
||
|
+
|
||
|
--
|
||
|
[NOTE]
|
||
|
===============================
|
||
|
* This role should not be assigned to users as the granted permissions may
|
||
|
change between releases.
|
||
|
* This role does not provide access to the logstash indices and is not
|
||
|
suitable for use within a Logstash pipeline.
|
||
|
===============================
|
||
|
--
|
||
|
|
||
|
[[built-in-roles-ml-admin]] `machine_learning_admin`::
|
||
|
Grants `manage_ml` cluster privileges, read access to `.ml-anomalies*`,
|
||
|
`.ml-notifications*`, `.ml-state*`, `.ml-meta*` indices and write access to
|
||
|
`.ml-annotations*` indices. This role also includes all
|
||
|
{kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}.
|
||
|
|
||
|
[[built-in-roles-ml-user]] `machine_learning_user`::
|
||
|
Grants the minimum privileges required to view {ml} configuration,
|
||
|
status, and work with results. This role grants `monitor_ml` cluster privileges,
|
||
|
read access to the `.ml-notifications` and `.ml-anomalies*` indices
|
||
|
(which store {ml} results), and write access to `.ml-annotations*` indices.
|
||
|
This role also includes all {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}.
|
||
|
|
||
|
[[built-in-roles-monitoring-user]] `monitoring_user`::
|
||
|
Grants the minimum privileges required for any user of {monitoring} other than those
|
||
|
required to use {kib}. This role grants access to the monitoring indices and grants
|
||
|
privileges necessary for reading basic cluster information. This role also includes
|
||
|
all {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {stack-monitor-features}.
|
||
|
Monitoring users should also be assigned the `kibana_user` role.
|
||
|
|
||
|
[[built-in-roles-remote-monitoring-agent]] `remote_monitoring_agent`::
|
||
|
Grants the minimum privileges required to write data into the monitoring indices
|
||
|
(`.monitoring-*`). This role also has the privileges necessary to create
|
||
|
{metricbeat} indices (`metricbeat-*`) and write data into them.
|
||
|
|
||
|
[[built-in-roles-remote-monitoring-collector]] `remote_monitoring_collector`::
|
||
|
Grants the minimum privileges required to collect monitoring data for the {stack}.
|
||
|
|
||
|
[[built-in-roles-reporting-user]] `reporting_user`::
|
||
|
Grants the specific privileges required for users of {reporting} other than those
|
||
|
required to use {kib}. This role grants access to the reporting indices; each
|
||
|
user has access to only their own reports. Reporting users should also be
|
||
|
assigned the `kibana_user` role and a role that grants them access to the data
|
||
|
that will be used to generate reports.
|
||
|
|
||
|
[[built-in-roles-snapshot-user]] `snapshot_user`::
|
||
|
Grants the necessary privileges to create snapshots of **all** the indices and
|
||
|
to view their metadata. This role enables users to view the configuration of
|
||
|
existing snapshot repositories and snapshot details. It does not grant authority
|
||
|
to remove or add repositories or to restore snapshots. It also does not enable
|
||
|
to change index settings or to read or update index data.
|
||
|
|
||
|
[[built-in-roles-superuser]] `superuser`::
|
||
|
Grants full access to the cluster, including all indices and data. A user with
|
||
|
the `superuser` role can also manage users and roles and
|
||
|
<<run-as-privilege, impersonate>> any other user in the system. Due to the
|
||
|
permissive nature of this role, take extra care when assigning it to a user.
|
||
|
|
||
|
[[built-in-roles-transport-client]] `transport_client`::
|
||
|
Grants the privileges required to access the cluster through the Java Transport
|
||
|
Client. The Java Transport Client fetches information about the nodes in the
|
||
|
cluster using the _Node Liveness API_ and the _Cluster State API_ (when
|
||
|
sniffing is enabled). Assign your users this role if they use the
|
||
|
Transport Client.
|
||
|
+
|
||
|
NOTE: Using the Transport Client effectively means the users are granted access
|
||
|
to the cluster state. This means users can view the metadata over all indices,
|
||
|
index templates, mappings, node and basically everything about the cluster.
|
||
|
However, this role does not grant permission to view the data in all indices.
|
||
|
|
||
|
[[built-in-roles-watcher-admin]] `watcher_admin`::
|
||
|
+
|
||
|
Grants read access to the `.watches` index, read access to the watch history and
|
||
|
the triggered watches index and allows to execute all watcher actions.
|
||
|
|
||
|
[[built-in-roles-watcher-user]] `watcher_user`::
|
||
|
+
|
||
|
Grants read access to the `.watches` index, the get watch action and the watcher
|
||
|
stats.
|