2018-05-14 18:35:02 -04:00
|
|
|
|
[role="xpack"]
|
2017-04-06 21:29:29 -04:00
|
|
|
|
[[field-and-document-access-control]]
|
2018-05-14 18:35:02 -04:00
|
|
|
|
=== Setting up field and document level security
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
|
|
You can control access to data within an index by adding field and document level
|
2018-06-21 13:08:50 -04:00
|
|
|
|
security permissions to a role.
|
|
|
|
|
<<field-level-security,Field level security permissions>> restrict access to
|
|
|
|
|
particular fields within a document.
|
|
|
|
|
<<document-level-security,Document level security permissions>> restrict access
|
|
|
|
|
to particular documents within an index.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
|
|
NOTE: Document and field level security is currently meant to operate with
|
|
|
|
|
read-only privileged accounts. Users with document and field level
|
|
|
|
|
security enabled for an index should not perform write operations.
|
|
|
|
|
|
|
|
|
|
A role can define both field and document level permissions on a per-index basis.
|
2018-01-24 12:07:21 -05:00
|
|
|
|
A role that doesn’t specify field level permissions grants access to ALL fields.
|
|
|
|
|
Similarly, a role that doesn't specify document level permissions grants access
|
|
|
|
|
to ALL documents in the index.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
|
|
[IMPORTANT]
|
|
|
|
|
=====================================================================
|
|
|
|
|
When assigning users multiple roles, be careful that you don't inadvertently
|
2018-01-24 12:07:21 -05:00
|
|
|
|
grant wider access than intended. Each user has a single set of field level and
|
|
|
|
|
document level permissions per index. See <<multiple-roles-dls-fls>>.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
=====================================================================
|
|
|
|
|
|
|
|
|
|
[[multiple-roles-dls-fls]]
|
2018-05-14 18:35:02 -04:00
|
|
|
|
==== Multiple roles with document and field level security
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
|
|
A user can have many roles and each role can define different permissions on the
|
2018-01-24 12:07:21 -05:00
|
|
|
|
same index. It is important to understand the behavior of document and field
|
|
|
|
|
level security in this scenario.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
2018-01-24 12:07:21 -05:00
|
|
|
|
Document level security takes into account each role held by the user and
|
|
|
|
|
combines each document level security query for a given index with an "OR". This
|
2017-04-06 21:29:29 -04:00
|
|
|
|
means that only one of the role queries must match for a document to be returned.
|
|
|
|
|
For example, if a role grants access to an index without document level security
|
|
|
|
|
and another grants access with document level security, document level security
|
2018-01-24 12:07:21 -05:00
|
|
|
|
is not applied; the user with both roles has access to all of the documents in
|
|
|
|
|
the index.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
2018-01-24 12:07:21 -05:00
|
|
|
|
Field level security takes into account each role the user has and combines
|
2017-04-06 21:29:29 -04:00
|
|
|
|
all of the fields listed into a single set for each index. For example, if a
|
|
|
|
|
role grants access to an index without field level security and another grants
|
2018-01-24 12:07:21 -05:00
|
|
|
|
access with field level security, field level security is not be applied for
|
|
|
|
|
that index; the user with both roles has access to all of the fields in the
|
|
|
|
|
index.
|
|
|
|
|
|
|
|
|
|
For example, let's say `role_a` grants access to only the `address` field of the
|
|
|
|
|
documents in `index1`; it doesn't specify any document restrictions. Conversely,
|
|
|
|
|
`role_b` limits access to a subset of the documents in `index1`; it doesn't
|
|
|
|
|
specify any field restrictions. If you assign a user both roles, `role_a` gives
|
|
|
|
|
the user access to all documents and `role_b` gives the user access to all
|
|
|
|
|
fields.
|
|
|
|
|
|
|
|
|
|
If you need to restrict access to both documents and fields, consider splitting
|
|
|
|
|
documents by index instead.
|
2018-06-21 13:08:50 -04:00
|
|
|
|
|
|
|
|
|
include::role-templates.asciidoc[]
|
|
|
|
|
include::set-security-user.asciidoc[]
|