2015-07-13 06:31:34 -04:00
|
|
|
[[securing-aliases]]
|
2015-07-15 13:02:11 -04:00
|
|
|
=== Granting Privileges for Indices & Aliases
|
2015-07-13 06:31:34 -04:00
|
|
|
|
|
|
|
Elasticsearch allows to execute operations against {ref}/indices-aliases.html[index aliases],
|
|
|
|
which are effectively virtual indices. An alias points to one or more indices, holds metadata and potentially a filter.
|
|
|
|
Shield treats aliases and indices the same. Privileges for indices actions are granted on specific indices or aliases.
|
|
|
|
In order for an indices action to be authorized by Shield, the user that executes it needs to have permissions for that
|
|
|
|
action on all the specific indices or aliases that the request relates to.
|
|
|
|
|
|
|
|
Let's look at an example. Assuming we have an index called `2015`, an alias that points to it called `current_year`,
|
|
|
|
and a user with the following role:
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
--------------------------------------------------
|
|
|
|
current_year_read:
|
|
|
|
indices:
|
|
|
|
'2015': read
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
The user attempts to retrieve a document from `current_year`:
|
|
|
|
|
|
|
|
[source,shell]
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
curl -XGET 'localhost:9200/current_year/logs/1'
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
The above request gets rejected, although the user has read permissions on the concrete index that the `current_year`
|
|
|
|
alias points to. The correct permission would be as follows:
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
--------------------------------------------------
|
|
|
|
current_year_read:
|
|
|
|
indices:
|
|
|
|
'current_year': read
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
[float]
|
2015-07-15 13:02:11 -04:00
|
|
|
==== Managing aliases
|
2015-07-13 06:31:34 -04:00
|
|
|
|
|
|
|
Unlike creating indices, which requires `create_index` privilege, adding/removing/retrieving aliases requires
|
|
|
|
`manage_aliases` permission. Aliases can be added to an index directly as part of the index creation:
|
|
|
|
|
|
|
|
[source,shell]
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
curl -XPUT localhost:9200/2015 -d '{
|
|
|
|
"aliases" : {
|
|
|
|
"current_year" : {}
|
|
|
|
}
|
|
|
|
}'
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
or via the dedicated aliases api if the index already exists:
|
|
|
|
|
|
|
|
[source,shell]
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
curl -XPOST 'http://localhost:9200/_aliases' -d '
|
|
|
|
{
|
|
|
|
"actions" : [
|
|
|
|
{ "add" : { "index" : "2015", "alias" : "current_year" } }
|
|
|
|
]
|
|
|
|
}'
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
The above requests both require `manage_aliases` privilege on the alias name as well as the targeted index, as follows:
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
--------------------------------------------------
|
|
|
|
admin:
|
|
|
|
indices:
|
|
|
|
'20*,current_year': create_index,manage_aliases
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
Note also that the `manage` privilege includes both `create_index` and `manage_aliases` in addition to all of the other
|
|
|
|
management related privileges:
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
--------------------------------------------------
|
|
|
|
admin:
|
|
|
|
indices:
|
|
|
|
'20*,current_year': manage
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
The index aliases api allows also to delete aliases from existing indices, as follows. The privileges required for such
|
|
|
|
a request are the same as above. Both index and alias need the `manage_aliases` permission.
|
|
|
|
|
|
|
|
[source,shell]
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
curl -XPOST 'http://localhost:9200/_aliases' -d '
|
|
|
|
{
|
|
|
|
"actions" : [
|
|
|
|
{ "delete" : { "index" : "2015", "alias" : "current_year" } }
|
|
|
|
]
|
|
|
|
}'
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
[float]
|
2015-07-15 13:02:11 -04:00
|
|
|
==== Filtered aliases
|
2015-07-13 06:31:34 -04:00
|
|
|
|
|
|
|
Aliases can hold a filter, which allows to select a subset of documents that can be accessed out of all the documents that
|
|
|
|
the physical index contains. Filtered aliases allow to mimic document level security, but have limitations. Please read
|
|
|
|
the <<limitations-filtered-aliases,limitations>> section to know more.
|