2018-08-17 12:18:08 -04:00
|
|
|
[role="xpack"]
|
|
|
|
|
[[security-api-get-role]]
|
|
|
|
|
=== Get roles API
|
2018-12-20 13:23:28 -05:00
|
|
|
++++
|
|
|
|
|
<titleabbrev>Get roles</titleabbrev>
|
|
|
|
|
++++
|
2018-08-17 12:18:08 -04:00
|
|
|
|
|
|
|
|
Retrieves roles in the native realm.
|
|
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-get-role-request]]
|
|
|
|
|
==== {api-request-title}
|
2018-08-17 12:18:08 -04:00
|
|
|
|
2018-12-11 04:13:10 -05:00
|
|
|
`GET /_security/role` +
|
2018-08-17 12:18:08 -04:00
|
|
|
|
2018-12-11 04:13:10 -05:00
|
|
|
`GET /_security/role/<name>` +
|
2018-08-17 12:18:08 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-get-role-prereqs]]
|
|
|
|
|
==== {api-prereq-title}
|
|
|
|
|
|
|
|
|
|
* To use this API, you must have at least the `manage_security` cluster
|
|
|
|
|
privilege.
|
|
|
|
|
|
|
|
|
|
[[security-api-get-role-desc]]
|
|
|
|
|
==== {api-description-title}
|
2018-08-17 12:18:08 -04:00
|
|
|
|
2019-09-25 06:52:05 -04:00
|
|
|
The role management APIs are generally the preferred way to manage roles, rather than using
|
2019-10-07 18:23:19 -04:00
|
|
|
<<roles-management-file,file-based role management>>. The get roles
|
2019-09-25 06:52:05 -04:00
|
|
|
API cannot retrieve roles that are defined in roles files.
|
2018-08-17 12:18:08 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-get-role-path-params]]
|
|
|
|
|
==== {api-path-parms-title}
|
2018-08-17 12:18:08 -04:00
|
|
|
|
|
|
|
|
`name`::
|
2019-08-02 13:56:05 -04:00
|
|
|
(Optional, string) The name of the role. You can specify multiple roles as a
|
2018-08-17 12:18:08 -04:00
|
|
|
comma-separated list. If you do not specify this parameter, the API
|
|
|
|
|
returns information about all roles.
|
2019-08-02 13:56:05 -04:00
|
|
|
|
|
|
|
|
[[security-api-get-role-response-body]]
|
|
|
|
|
==== {api-response-body-title}
|
2018-08-17 12:18:08 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
A successful call returns an array of roles with the JSON representation of the
|
|
|
|
|
role.
|
2018-08-17 12:18:08 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-get-role-response-codes]]
|
|
|
|
|
==== {api-response-codes-title}
|
2018-08-17 12:18:08 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
If the role is not defined in the native realm, the request returns 404.
|
2018-08-17 12:18:08 -04:00
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-get-role-example]]
|
|
|
|
|
==== {api-examples-title}
|
2018-08-17 12:18:08 -04:00
|
|
|
|
|
|
|
|
The following example retrieves information about the `my_admin_role` role in
|
|
|
|
|
the native realm:
|
|
|
|
|
|
2019-09-05 14:12:39 -04:00
|
|
|
[source,console]
|
2018-08-17 12:18:08 -04:00
|
|
|
--------------------------------------------------
|
2018-12-11 04:13:10 -05:00
|
|
|
GET /_security/role/my_admin_role
|
2018-08-17 12:18:08 -04:00
|
|
|
--------------------------------------------------
|
|
|
|
|
// TEST[setup:admin_role]
|
|
|
|
|
|
2019-09-05 14:12:39 -04:00
|
|
|
[source,console-result]
|
2018-08-17 12:18:08 -04:00
|
|
|
--------------------------------------------------
|
|
|
|
|
{
|
|
|
|
|
"my_admin_role": {
|
|
|
|
|
"cluster" : [ "all" ],
|
|
|
|
|
"indices" : [
|
|
|
|
|
{
|
|
|
|
|
"names" : [ "index1", "index2" ],
|
|
|
|
|
"privileges" : [ "all" ],
|
Permission for restricted indices (#37577)
This grants the capability to grant privileges over certain restricted
indices (.security and .security-6 at the moment).
It also removes the special status of the superuser role.
IndicesPermission.Group is extended by adding the `allow_restricted_indices`
boolean flag. By default the flag is false. When it is toggled, you acknowledge
that the indices under the scope of the permission group can cover the
restricted indices as well. Otherwise, by default, restricted indices are ignored
when granting privileges, thus rendering them hidden for authorization purposes.
This effectively adds a confirmation "check-box" for roles that might grant
privileges to restricted indices.
The "special status" of the superuser role has been removed and coded as
any other role:
```
new RoleDescriptor("superuser",
new String[] { "all" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices("*")
.privileges("all")
.allowRestrictedIndices(true)
// this ----^
.build() },
new RoleDescriptor.ApplicationResourcePrivileges[] {
RoleDescriptor.ApplicationResourcePrivileges.builder()
.application("*")
.privileges("*")
.resources("*")
.build()
},
null, new String[] { "*" },
MetadataUtils.DEFAULT_RESERVED_METADATA,
Collections.emptyMap());
```
In the context of the Backup .security work, this allows the creation of a
"curator role" that would permit listing (get settings) for all indices
(including the restricted ones). That way the curator role would be able to
ist and snapshot all indices, but not read or restore any of them.
Supersedes #36765
Relates #34454
2019-01-20 16:19:40 -05:00
|
|
|
"allow_restricted_indices" : false,
|
|
|
|
|
"field_security" : {
|
2018-08-17 12:18:08 -04:00
|
|
|
"grant" : [ "title", "body" ]}
|
Permission for restricted indices (#37577)
This grants the capability to grant privileges over certain restricted
indices (.security and .security-6 at the moment).
It also removes the special status of the superuser role.
IndicesPermission.Group is extended by adding the `allow_restricted_indices`
boolean flag. By default the flag is false. When it is toggled, you acknowledge
that the indices under the scope of the permission group can cover the
restricted indices as well. Otherwise, by default, restricted indices are ignored
when granting privileges, thus rendering them hidden for authorization purposes.
This effectively adds a confirmation "check-box" for roles that might grant
privileges to restricted indices.
The "special status" of the superuser role has been removed and coded as
any other role:
```
new RoleDescriptor("superuser",
new String[] { "all" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices("*")
.privileges("all")
.allowRestrictedIndices(true)
// this ----^
.build() },
new RoleDescriptor.ApplicationResourcePrivileges[] {
RoleDescriptor.ApplicationResourcePrivileges.builder()
.application("*")
.privileges("*")
.resources("*")
.build()
},
null, new String[] { "*" },
MetadataUtils.DEFAULT_RESERVED_METADATA,
Collections.emptyMap());
```
In the context of the Backup .security work, this allows the creation of a
"curator role" that would permit listing (get settings) for all indices
(including the restricted ones). That way the curator role would be able to
ist and snapshot all indices, but not read or restore any of them.
Supersedes #36765
Relates #34454
2019-01-20 16:19:40 -05:00
|
|
|
}
|
2018-08-17 12:18:08 -04:00
|
|
|
],
|
|
|
|
|
"applications" : [ ],
|
|
|
|
|
"run_as" : [ "other_user" ],
|
|
|
|
|
"metadata" : {
|
|
|
|
|
"version" : 1
|
|
|
|
|
},
|
|
|
|
|
"transient_metadata": {
|
|
|
|
|
"enabled": true
|
|
|
|
|
}
|
Permission for restricted indices (#37577)
This grants the capability to grant privileges over certain restricted
indices (.security and .security-6 at the moment).
It also removes the special status of the superuser role.
IndicesPermission.Group is extended by adding the `allow_restricted_indices`
boolean flag. By default the flag is false. When it is toggled, you acknowledge
that the indices under the scope of the permission group can cover the
restricted indices as well. Otherwise, by default, restricted indices are ignored
when granting privileges, thus rendering them hidden for authorization purposes.
This effectively adds a confirmation "check-box" for roles that might grant
privileges to restricted indices.
The "special status" of the superuser role has been removed and coded as
any other role:
```
new RoleDescriptor("superuser",
new String[] { "all" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices("*")
.privileges("all")
.allowRestrictedIndices(true)
// this ----^
.build() },
new RoleDescriptor.ApplicationResourcePrivileges[] {
RoleDescriptor.ApplicationResourcePrivileges.builder()
.application("*")
.privileges("*")
.resources("*")
.build()
},
null, new String[] { "*" },
MetadataUtils.DEFAULT_RESERVED_METADATA,
Collections.emptyMap());
```
In the context of the Backup .security work, this allows the creation of a
"curator role" that would permit listing (get settings) for all indices
(including the restricted ones). That way the curator role would be able to
ist and snapshot all indices, but not read or restore any of them.
Supersedes #36765
Relates #34454
2019-01-20 16:19:40 -05:00
|
|
|
}
|
2018-08-17 12:18:08 -04:00
|
|
|
}
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
|
|
To retrieve all roles, omit the role name:
|
|
|
|
|
|
2019-09-05 14:12:39 -04:00
|
|
|
[source,console]
|
2018-08-17 12:18:08 -04:00
|
|
|
--------------------------------------------------
|
2018-12-11 04:13:10 -05:00
|
|
|
GET /_security/role
|
2018-08-17 12:18:08 -04:00
|
|
|
--------------------------------------------------
|
|
|
|
|
// TEST[continued]
|
|
|
|
|
|
