OpenSearch/qa/reindex-tests-with-security/roles.yml

admin:
  cluster:
    - all
  indices:
    - names: '*'
      privileges: [ all ]
  run_as:
    - '*'

# Search and write on both source and destination indices. It should work if you could just search on the source and
# write to the destination but that isn't how security works.
minimal:
  cluster:
    - cluster:monitor/main
  indices:
    - names: source
      privileges:
        - read
        - write
        - create_index
        - indices:admin/refresh
    - names: dest
      privileges:
        - read
        - write
        - create_index
        - indices:admin/refresh

# Read only operations on indices
readonly:
  cluster:
    - cluster:monitor/main
  indices:
    - names: '*'
      privileges: [ read ]

# Write operations on destination index, none on source index
dest_only:
  cluster:
    - cluster:monitor/main
  indices:
    - names: dest
      privileges: [ write ]

# Search and write on both source and destination indices with document level security filtering out some docs.
can_not_see_hidden_docs:
  cluster:
    - cluster:monitor/main
  indices:
    - names: source
      privileges:
        - read
        - write
        - create_index
        - indices:admin/refresh
      query:
        bool:
          must_not:
            match:
              hidden: true
    - names: dest
      privileges:
        - read
        - write
        - create_index
        - indices:admin/refresh

# Search and write on both source and destination indices with field level security.
can_not_see_hidden_fields:
  cluster:
    - cluster:monitor/main
  indices:
    - names: source
      privileges:
        - read
        - write
        - create_index
        - indices:admin/refresh
      field_security:
        grant:
          - foo
          - bar
    - names: dest
      privileges:
        - read
        - write
        - create_index
        - indices:admin/refresh
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`admin:`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`cluster:`
			`- all`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`indices:`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- names: '*'`
			`privileges: [ all ]`
			`run_as:`
			`- '*'`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00
			`# Search and write on both source and destination indices. It should work if you could just search on the source and`
security: remove use of shield in files and directory names This commit removes as much of the use of shield as possible in the source code. See elastic/elasticsearch#2383 Original commit: elastic/x-pack-elasticsearch@00009cc06edfe81c1c7716233552ea8a9eea305b 2016-06-17 11:53:55 -04:00			`# write to the destination but that isn't how security works.`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`minimal:`
Test reindex-from-remote with security Original commit: elastic/x-pack-elasticsearch@7e3530a95808b67912b15134729fe2d3d9c97d39 2016-07-06 15:48:20 -04:00			`cluster:`
			`- cluster:monitor/main`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`indices:`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- names: source`
			`privileges:`
shield: add support for new privilege naming This commit adds support for the privilege naming defined in elastic/elasticsearch#1342 and removes the support for the privileges that were deprecated in 2.3. This change also includes updates to the documentation to account for the new roles format. Original commit: elastic/x-pack-elasticsearch@98e9afd40990e3f6fa9796e627417c82e8d162b3 2016-03-08 14:20:54 -05:00			`- read`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- write`
			`- create_index`
			`- indices:admin/refresh`
			`- names: dest`
			`privileges:`
shield: add support for new privilege naming This commit adds support for the privilege naming defined in elastic/elasticsearch#1342 and removes the support for the privileges that were deprecated in 2.3. This change also includes updates to the documentation to account for the new roles format. Original commit: elastic/x-pack-elasticsearch@98e9afd40990e3f6fa9796e627417c82e8d162b3 2016-03-08 14:20:54 -05:00			`- read`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- write`
			`- create_index`
			`- indices:admin/refresh`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00
			`# Read only operations on indices`
			`readonly:`
Test reindex-from-remote with security Original commit: elastic/x-pack-elasticsearch@7e3530a95808b67912b15134729fe2d3d9c97d39 2016-07-06 15:48:20 -04:00			`cluster:`
			`- cluster:monitor/main`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`indices:`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- names: '*'`
shield: add support for new privilege naming This commit adds support for the privilege naming defined in elastic/elasticsearch#1342 and removes the support for the privileges that were deprecated in 2.3. This change also includes updates to the documentation to account for the new roles format. Original commit: elastic/x-pack-elasticsearch@98e9afd40990e3f6fa9796e627417c82e8d162b3 2016-03-08 14:20:54 -05:00			`privileges: [ read ]`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00
			`# Write operations on destination index, none on source index`
			`dest_only:`
Test reindex-from-remote with security Original commit: elastic/x-pack-elasticsearch@7e3530a95808b67912b15134729fe2d3d9c97d39 2016-07-06 15:48:20 -04:00			`cluster:`
			`- cluster:monitor/main`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`indices:`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- names: dest`
			`privileges: [ write ]`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00
			`# Search and write on both source and destination indices with document level security filtering out some docs.`
			`can_not_see_hidden_docs:`
Test reindex-from-remote with security Original commit: elastic/x-pack-elasticsearch@7e3530a95808b67912b15134729fe2d3d9c97d39 2016-07-06 15:48:20 -04:00			`cluster:`
			`- cluster:monitor/main`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`indices:`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- names: source`
			`privileges:`
shield: add support for new privilege naming This commit adds support for the privilege naming defined in elastic/elasticsearch#1342 and removes the support for the privileges that were deprecated in 2.3. This change also includes updates to the documentation to account for the new roles format. Original commit: elastic/x-pack-elasticsearch@98e9afd40990e3f6fa9796e627417c82e8d162b3 2016-03-08 14:20:54 -05:00			`- read`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- write`
			`- create_index`
			`- indices:admin/refresh`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`query:`
			`bool:`
			`must_not:`
			`match:`
			`hidden: true`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- names: dest`
			`privileges:`
shield: add support for new privilege naming This commit adds support for the privilege naming defined in elastic/elasticsearch#1342 and removes the support for the privileges that were deprecated in 2.3. This change also includes updates to the documentation to account for the new roles format. Original commit: elastic/x-pack-elasticsearch@98e9afd40990e3f6fa9796e627417c82e8d162b3 2016-03-08 14:20:54 -05:00			`- read`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- write`
			`- create_index`
			`- indices:admin/refresh`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00
			`# Search and write on both source and destination indices with field level security.`
			`can_not_see_hidden_fields:`
Test reindex-from-remote with security Original commit: elastic/x-pack-elasticsearch@7e3530a95808b67912b15134729fe2d3d9c97d39 2016-07-06 15:48:20 -04:00			`cluster:`
			`- cluster:monitor/main`
Add reindex tests to shield Original commit: elastic/x-pack-elasticsearch@fe00f317b3c366fe43a44417dab88ea070ff6dc0 2016-03-08 17:15:40 -05:00			`indices:`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- names: source`
			`privileges:`
shield: add support for new privilege naming This commit adds support for the privilege naming defined in elastic/elasticsearch#1342 and removes the support for the privileges that were deprecated in 2.3. This change also includes updates to the documentation to account for the new roles format. Original commit: elastic/x-pack-elasticsearch@98e9afd40990e3f6fa9796e627417c82e8d162b3 2016-03-08 14:20:54 -05:00			`- read`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- write`
			`- create_index`
			`- indices:admin/refresh`
Add option to deny access to fields (elastic/elasticsearch#2879) To deny access to a fields users can name exceptions to field permissions with the following syntax: "fields": { "grant": [list of field names patterns], "except": [list of patterns that are forbidden] } See doc for the rules for this. This commit also reverts elastic/elasticsearch#2720 closes elastic/elasticsearch#2681 Original commit: elastic/x-pack-elasticsearch@d6537028ec0cf214e5c5fbf3cc144b8eb5444161 2016-09-13 10:38:58 -04:00			`field_security:`
			`grant:`
			`- foo`
			`- bar`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- names: dest`
			`privileges:`
shield: add support for new privilege naming This commit adds support for the privilege naming defined in elastic/elasticsearch#1342 and removes the support for the privileges that were deprecated in 2.3. This change also includes updates to the documentation to account for the new roles format. Original commit: elastic/x-pack-elasticsearch@98e9afd40990e3f6fa9796e627417c82e8d162b3 2016-03-08 14:20:54 -05:00			`- read`
security: file parsing only supports the new format This commit remove the pre-existing file parsing code and replaces it with the updated code in the RoleDescriptor class. This unifies the parsing for the files and API for roles. Closes elastic/elasticsearch#1596 Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1edb72913c30d05c6fc6031309d62bf 2016-03-15 13:10:40 -04:00			`- write`
			`- create_index`
			`- indices:admin/refresh`