OpenSearch/x-pack/docs/en/security/authorization/managing-roles.asciidoc

247 lines
8.9 KiB
Plaintext
Raw Normal View History

2018-05-14 19:45:09 -04:00
[role="xpack"]
[[defining-roles]]
=== Defining roles
A role is defined by the following JSON structure:
[source,js]
-----
{
"run_as": [ ... ], <1>
"cluster": [ ... ], <2>
"global": { ... }, <3>
"indices": [ ... ], <4>
"applications": [ ... ] <5>
2018-05-14 19:45:09 -04:00
}
-----
2018-06-05 11:50:06 -04:00
// NOTCONSOLE
2018-05-14 19:45:09 -04:00
<1> A list of usernames the owners of this role can <<run-as-privilege, impersonate>>.
<2> A list of cluster privileges. These privileges define the
cluster level actions users with this role are able to execute. This field
is optional (missing `cluster` privileges effectively mean no cluster level
permissions).
<3> An object defining global privileges. A global privilege is a form of
cluster privilege that is request sensitive. A standard cluster privilege
makes authorization decisions based solely on the action being executed.
A global privilege also considers the parameters included in the request.
Support for global privileges is currently limited to the management of
application privileges. This field is optional.
<4> A list of indices permissions entries. This field is optional (missing `indices`
2018-05-14 19:45:09 -04:00
privileges effectively mean no index level permissions).
<5> A list of application privilege entries. This field is optional.
2018-05-14 19:45:09 -04:00
[[valid-role-name]]
NOTE: Role names must be at least 1 and no more than 1024 characters. They can
contain alphanumeric characters (`a-z`, `A-Z`, `0-9`), spaces,
punctuation, and printable symbols in the https://en.wikipedia.org/wiki/Basic_Latin_(Unicode_block)[Basic Latin (ASCII) block].
Leading or trailing whitespace is not allowed.
[[roles-indices-priv]]
==== Indices Privileges
2018-05-14 19:45:09 -04:00
The following describes the structure of an indices permissions entry:
[source,js]
-------
{
"names": [ ... ], <1>
"privileges": [ ... ], <2>
"field_security" : { ... }, <3>
"query": "..." <4>
}
-------
2018-06-05 11:50:06 -04:00
// NOTCONSOLE
2018-05-14 19:45:09 -04:00
<1> A list of indices (or index name patterns) to which the permissions in this
entry apply.
<2> The index level privileges the owners of the role have on the associated
indices (those indices that are specified in the `name` field)
<3> Specification for document fields the owners of the role have read access to.
See <<field-and-document-access-control>> for details.
<4> A search query that defines the documents the owners of the role have read
access to. A document within the associated indices must match this query
in order for it to be accessible by the owners of the role.
[TIP]
==============================================================================
When specifying index names, you can use indices and aliases with their full
names or regular expressions that refer to multiple indices.
* Wildcard (default) - simple wildcard matching where `*` is a placeholder
for zero or more characters, `?` is a placeholder for a single character
and `\` may be used as an escape character.
* Regular Expressions - A more powerful syntax for matching more complex
patterns. This regular expression is based on Lucene's regexp automaton
syntax. To enable this syntax, it must be wrapped within a pair of
forward slashes (`/`). Any pattern starting with `/` and not ending with
`/` is considered to be malformed.
.Example Regular Expressions
[source,yaml]
------------------------------------------------------------------------------
"foo-bar": # match the literal `foo-bar`
"foo-*": # match anything beginning with "foo-"
"logstash-201?-*": # ? matches any one character
"/.*-201[0-9]-.*/": # use a regex to match anything containing 2010-2019
"/foo": # syntax error - missing final /
------------------------------------------------------------------------------
==============================================================================
[[roles-global-priv]]
==== Global Privileges
The following describes the structure of a global privileges entry:
[source,js]
-------
{
"application": {
"manage": { <1>
"applications": [ ... ] <2>
}
}
}
-------
// NOTCONSOLE
<1> The only supported global privilege is the ability to manage application
privileges
<2> The list of application names that may be managed. This list supports
wildcards (e.g. `"myapp-*"`) and regular expressions (e.g.
`"/app[0-9]*/"`)
[[roles-application-priv]]
==== Application Privileges
The following describes the structure of an application privileges entry:
2018-05-14 19:45:09 -04:00
[source,js]
-------
{
"application": "my_app", <1>
"privileges": [ ... ], <2>
"resources": [ ... ] <3>
}
-------
// NOTCONSOLE
<1> The name of the application.
<2> The list of the names of the application privileges to grant to this role.
<3> The resources to which those privileges apply. These are handled in the same
way as index name pattern in `indices` permissions. These resources do not
have any special meaning to the {es} {security-features}.
For details about the validation rules for these fields, see the
{ref}/security-api-put-privileges.html[add application privileges API].
A role may refer to application privileges that do not exist - that is, they
have not yet been defined through the add application privileges API (or they
were defined, but have since been deleted). In this case, the privilege has
no effect, and will not grant any actions in the
{ref}/security-api-has-privileges.html[has privileges API].
==== Example
The following snippet shows an example definition of a `clicks_admin` role:
2018-05-14 19:45:09 -04:00
[source,js]
-----------
POST /_security/role/clicks_admin
2018-05-14 19:45:09 -04:00
{
2018-06-05 11:50:06 -04:00
"run_as": [ "clicks_watcher_1" ],
2018-05-14 19:45:09 -04:00
"cluster": [ "monitor" ],
"indices": [
{
"names": [ "events-*" ],
"privileges": [ "read" ],
"field_security" : {
"grant" : [ "category", "@timestamp", "message" ]
},
"query": "{\"match\": {\"category\": \"click\"}}"
}
]
}
-----------
2018-06-05 11:50:06 -04:00
// CONSOLE
2018-05-14 19:45:09 -04:00
Based on the above definition, users owning the `clicks_admin` role can:
* Impersonate the `clicks_watcher_1` user and execute requests on its behalf.
* Monitor the {es} cluster
* Read data from all indices prefixed with `events-`
* Within these indices, only read the events of the `click` category
* Within these document, only read the `category`, `@timestamp` and `message`
fields.
TIP: For a complete list of available <<security-privileges, cluster and indices privileges>>
There are two available mechanisms to define roles: using the _Role Management APIs_
or in local files on the {es} nodes. You can also implement
2018-05-14 19:45:09 -04:00
custom roles providers. If you need to integrate with another system to retrieve
user roles, you can build a custom roles provider plugin. For more information,
Allow custom authorization with an authorization engine (#38358) For some users, the built in authorization mechanism does not fit their needs and no feature that we offer would allow them to control the authorization process to meet their needs. In order to support this, a concept of an AuthorizationEngine is being introduced, which can be provided using the security extension mechanism. An AuthorizationEngine is responsible for making the authorization decisions about a request. The engine is responsible for knowing how to authorize and can be backed by whatever mechanism a user wants. The default mechanism is one backed by roles to provide the authorization decisions. The AuthorizationEngine will be called by the AuthorizationService, which handles more of the internal workings that apply in general to authorization within Elasticsearch. In order to support external authorization services that would back an authorization engine, the entire authorization process has become asynchronous, which also includes all calls to the AuthorizationEngine. The use of roles also leaked out of the AuthorizationService in our existing code that is not specifically related to roles so this also needed to be addressed. RequestInterceptor instances sometimes used a role to ensure a user was not attempting to escalate their privileges. Addressing this leakage of roles meant that the RequestInterceptor execution needed to move within the AuthorizationService and that AuthorizationEngines needed to support detection of whether a user has more privileges on a name than another. The second area where roles leaked to the user is in the handling of a few privilege APIs that could be used to retrieve the user's privileges or ask if a user has privileges to perform an action. To remove the leakage of roles from these actions, the AuthorizationService and AuthorizationEngine gained methods that enabled an AuthorizationEngine to return the response for these APIs. Ultimately this feature is the work included in: #37785 #37495 #37328 #36245 #38137 #38219 Closes #32435
2019-02-05 15:39:29 -05:00
see <<custom-roles-authorization, Customizing Roles and Authorization>>.
2018-05-14 19:45:09 -04:00
[float]
[[roles-management-ui]]
=== Role management UI
You can manage users and roles easily in {kib}. To
2018-05-14 19:45:09 -04:00
manage roles, log in to {kib} and go to *Management / Elasticsearch / Roles*.
[float]
[[roles-management-api]]
=== Role management API
The _Role Management APIs_ enable you to add, update, remove and retrieve roles
dynamically. When you use the APIs to manage roles in the `native` realm, the
roles are stored in an internal {es} index. For more information and examples,
see {ref}/security-api.html#security-role-apis[role management APIs].
2018-05-14 19:45:09 -04:00
[float]
[[roles-management-file]]
=== File-based role management
Apart from the _Role Management APIs_, roles can also be defined in local
`roles.yml` file located in `ES_PATH_CONF`. This is a YAML file where each
2018-05-14 19:45:09 -04:00
role definition is keyed by its name.
[IMPORTANT]
==============================
If the same role name is used in the `roles.yml` file and through the
_Role Management APIs_, the role found in the file will be used.
==============================
While the _Role Management APIs_ is the preferred mechanism to define roles,
using the `roles.yml` file becomes useful if you want to define fixed roles that
no one (beside an administrator having physical access to the {es} nodes)
would be able to change.
[IMPORTANT]
==============================
The `roles.yml` file is managed locally by the node and is not globally by the
cluster. This means that with a typical multi-node cluster, the exact same
changes need to be applied on each and every node in the cluster.
A safer approach would be to apply the change on one of the nodes and have the
`roles.yml` distributed/copied to all other nodes in the cluster (either
manually or using a configuration management system such as Puppet or Chef).
==============================
The following snippet shows an example of the `roles.yml` file configuration:
[source,yaml]
-----------------------------------
click_admins:
run_as: [ 'clicks_watcher_1' ]
cluster: [ 'monitor' ]
indices:
- names: [ 'events-*' ]
privileges: [ 'read' ]
field_security:
grant: ['category', '@timestamp', 'message' ]
query: '{"match": {"category": "click"}}'
-----------------------------------
{es} continuously monitors the `roles.yml` file and automatically picks
2018-05-14 19:45:09 -04:00
up and applies any changes to it.