2018-05-14 18:35:02 -04:00
|
|
|
[role="xpack"]
|
2017-04-06 21:29:29 -04:00
|
|
|
[[authorization]]
|
2018-05-14 18:35:02 -04:00
|
|
|
== Configuring role-based access control
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2017-08-10 15:56:03 -04:00
|
|
|
{security} introduces the concept of _authorization_ to {es}.
|
2017-04-06 21:29:29 -04:00
|
|
|
Authorization is the process of determining whether the user behind an incoming
|
|
|
|
request is allowed to execute it. This process takes place once a request is
|
|
|
|
successfully authenticated and the user behind the request is identified.
|
|
|
|
|
|
|
|
[[roles]]
|
|
|
|
[float]
|
2018-05-14 18:35:02 -04:00
|
|
|
=== Roles, permissions, and privileges
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
The authorization process revolves around the following 5 constructs:
|
|
|
|
|
|
|
|
_Secured Resource_::
|
|
|
|
A resource to which access is restricted. Indices/aliases, documents, fields,
|
2017-08-10 15:56:03 -04:00
|
|
|
users and the {es} cluster itself are all examples of secured objects.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
_Privilege_::
|
|
|
|
A named group representing one or more actions that a user may execute against a
|
|
|
|
secured resource. Each secured resource has its own sets of available privileges.
|
|
|
|
For example, `read` is an index privilege that represents all actions that enable
|
|
|
|
reading the indexed/stored data. For a complete list of available privileges
|
|
|
|
see <<security-privileges>>.
|
|
|
|
|
|
|
|
_Permissions_::
|
|
|
|
A set of one or more privileges against a secured resource. Permissions can
|
|
|
|
easily be described in words, here are few examples:
|
|
|
|
* `read` privilege on the `products` index
|
|
|
|
* `manage` privilege on the cluster
|
|
|
|
* `run_as` privilege on `john` user
|
|
|
|
* `read` privilege on documents that match query X
|
|
|
|
* `read` privilege on `credit_card` field
|
|
|
|
|
|
|
|
_Role_::
|
|
|
|
A named sets of permissions
|
|
|
|
|
|
|
|
_User_::
|
|
|
|
The authenticated user.
|
|
|
|
|
2017-08-10 15:56:03 -04:00
|
|
|
A secure {es} cluster manages the privileges of users through _roles_.
|
2017-04-06 21:29:29 -04:00
|
|
|
A role has a unique name and identifies a set of permissions that translate to
|
|
|
|
privileges on resources. A user can be associated with an arbitrary number of
|
|
|
|
roles. The total set of permissions that a user has is therefore defined by
|
|
|
|
union of the permissions in all its roles.
|
|
|
|
|
|
|
|
As an administrator, you will need to define the roles that you want to use,
|
|
|
|
then assign users to the roles. These can be assigned to users in a number of
|
|
|
|
ways depending on the realms by which the users are authenticated.
|
|
|
|
|
2018-05-14 19:45:09 -04:00
|
|
|
include::built-in-roles.asciidoc[]
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2018-05-14 19:45:09 -04:00
|
|
|
include::managing-roles.asciidoc[]
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2018-05-14 19:45:09 -04:00
|
|
|
include::privileges.asciidoc[]
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2018-05-14 18:35:02 -04:00
|
|
|
include::alias-privileges.asciidoc[]
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2018-05-14 18:35:02 -04:00
|
|
|
include::mapping-roles.asciidoc[]
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2018-05-14 18:35:02 -04:00
|
|
|
include::field-and-document-access-control.asciidoc[]
|
2017-04-06 21:29:29 -04:00
|
|
|
|
2018-05-14 18:35:02 -04:00
|
|
|
include::run-as-privilege.asciidoc[]
|
2017-04-19 11:10:33 -04:00
|
|
|
|
2018-05-14 18:35:02 -04:00
|
|
|
include::custom-roles-provider.asciidoc[]
|