2015-07-15 13:02:11 -04:00
|
|
|
[[configuring-rbac]]
|
|
|
|
|
== Configuring Role-based Access Control
|
2015-07-13 06:31:34 -04:00
|
|
|
|
|
|
|
|
Shield introduces the concept of _action authorization_ to Elasticsearch. Action authorization restricts the actions
|
|
|
|
|
users can execute on the cluster. Shield implements authorization as Role Based Access Control (RBAC), where all
|
|
|
|
|
actions are restricted by default. Users are associated with roles that define a set of actions that are allowed
|
|
|
|
|
for those users.
|
|
|
|
|
|
|
|
|
|
[[roles]]
|
|
|
|
|
[float]
|
|
|
|
|
=== Roles, Permissions and Privileges
|
|
|
|
|
|
|
|
|
|
Privileges are actions or a set of actions that users may execute in Elasticsearch. For example, the ability to run a
|
|
|
|
|
query is a privilege.
|
|
|
|
|
|
|
|
|
|
A permission is a set of privileges associated with one or more secured objects. For example, a permission could allow
|
|
|
|
|
querying or reading all documents of index `i1`. There are two types of secured objects in Elasticsearch -
|
|
|
|
|
cluster and indices. Cluster permissions grant access to cluster-wide administrative and monitoring actions. Index
|
|
|
|
|
permissions grant data access, including administrative and monitoring actions on specific indices in the cluster.
|
|
|
|
|
|
|
|
|
|
A role is a named set of permissions. For example, you could define a role as a logging administrator. The logging
|
|
|
|
|
administrator is allowed to take all actions on indices named `logs-*`.
|
|
|
|
|
|
|
|
|
|
As an administrator, you will need to define the roles that you want to use, then assign users to the roles.
|
|
|
|
|
|
2015-07-15 13:02:11 -04:00
|
|
|
[[defining-roles]]
|
|
|
|
|
=== Defining Roles
|
2015-08-19 12:31:52 -04:00
|
|
|
Roles are defined in the role definition file `roles.yml` located in `CONFIG_DIR/shield`.
|
2015-07-13 06:31:34 -04:00
|
|
|
This is a YAML file where each entry defines the unique role name and the cluster and indices permissions associated
|
|
|
|
|
with it.
|
|
|
|
|
|
|
|
|
|
[IMPORTANT]
|
|
|
|
|
==============================
|
|
|
|
|
The `roles.yml` file is managed locally by the node and is not managed globally by the cluster. This means that
|
|
|
|
|
with a typical multi-node cluster, the exact same changes need to be applied on each and every node in the cluster.
|
|
|
|
|
|
|
|
|
|
A safer approach would be to apply the change on one of the nodes and have the `roles.yml` distributed/copied to
|
|
|
|
|
all other nodes in the cluster (either manually or using a configuration management system such as Puppet or Chef).
|
|
|
|
|
==============================
|
|
|
|
|
|
|
|
|
|
The following snippet shows an example configuration:
|
|
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
|
-----------------------------------
|
|
|
|
|
# All cluster rights
|
|
|
|
|
# All operations on all indices
|
|
|
|
|
admin:
|
|
|
|
|
cluster: all
|
|
|
|
|
indices:
|
2015-09-09 06:54:41 -04:00
|
|
|
'*':
|
|
|
|
|
privileges: all
|
2015-07-13 06:31:34 -04:00
|
|
|
|
|
|
|
|
# Monitoring cluster privileges
|
|
|
|
|
# All operations on all indices
|
|
|
|
|
power_user:
|
|
|
|
|
cluster: monitor
|
|
|
|
|
indices:
|
2015-09-09 06:54:41 -04:00
|
|
|
'*':
|
|
|
|
|
privileges: all
|
2015-07-13 06:31:34 -04:00
|
|
|
|
|
|
|
|
# Only read operations on indices
|
|
|
|
|
user:
|
|
|
|
|
indices:
|
2015-09-09 06:54:41 -04:00
|
|
|
'*':
|
|
|
|
|
privileges: read
|
2015-07-13 06:31:34 -04:00
|
|
|
|
|
|
|
|
# Only read operations on indices named events_*
|
|
|
|
|
events_user:
|
|
|
|
|
indices:
|
2015-09-09 06:54:41 -04:00
|
|
|
'events_*':
|
|
|
|
|
privileges: read
|
2015-07-13 06:31:34 -04:00
|
|
|
-----------------------------------
|
|
|
|
|
|
|
|
|
|
[[valid-role-name]]
|
|
|
|
|
NOTE: A valid role name must be at least 1 character and no longer than 30 characters. It must begin with a letter
|
|
|
|
|
(`a-z`) or an underscore (`_`). Subsequent characters can be letters, underscores (`_`), digits (`0-9`) or any
|
|
|
|
|
of the following symbols `@`, `-`, `.` or `$`
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The above example defines these roles:
|
|
|
|
|
|
|
|
|
|
|=======================
|
|
|
|
|
| `admin` | Has full access (all privileges) on the cluster and full access on all indices in the cluster.
|
|
|
|
|
| `power_user` | Has monitoring-only access on the cluster, enabling the user to request cluster metrics, information,
|
|
|
|
|
and settings, without the ability to update settings. This user also has full access on all indices in
|
|
|
|
|
the cluster.
|
|
|
|
|
| `user` | Cannot update or monitor the cluster. Has read-only access to all indices in the cluster.
|
|
|
|
|
| `events_user` | Has read-only access to all indices with the `events_` prefix.
|
|
|
|
|
|=======================
|
|
|
|
|
|
|
|
|
|
See the complete list of available <<privileges-list, cluster and indices privileges>>.
|
|
|
|
|
|
2015-07-15 13:02:11 -04:00
|
|
|
|
|
|
|
|
=== Granting Privileges for Specific Actions
|
2015-07-13 06:31:34 -04:00
|
|
|
|
|
|
|
|
The Shield security plugin enables access to specific actions in Elasticsearch. Access control using specific actions
|
|
|
|
|
provides a finer level of granularity than roles based on named privileges.
|
|
|
|
|
|
|
|
|
|
The role in the following example allows access to document `GET` actions for a specific index and nothing else:
|
|
|
|
|
|
|
|
|
|
.Example Role Using Action-level Access Control
|
|
|
|
|
[source,yaml]
|
|
|
|
|
---------------------------------------------------
|
|
|
|
|
# Only GET read action on index named events_index
|
|
|
|
|
get_user:
|
|
|
|
|
indices:
|
2015-09-09 06:54:41 -04:00
|
|
|
'events_index':
|
|
|
|
|
privileges: 'indices:data/read/get'
|
2015-07-13 06:31:34 -04:00
|
|
|
---------------------------------------------------
|
|
|
|
|
|
|
|
|
|
See the complete list of available <<ref-actions-list, cluster and indices actions>>.
|
|
|
|
|
|
|
|
|
|
TIP: When specifying index names, you can use indices and aliases with their full names or regular expressions that
|
|
|
|
|
refer to multiple indices.
|
|
|
|
|
|
|
|
|
|
* Wildcard (default) - simple wildcard matching where `*` is a placeholder for zero or more characters, `?` is a
|
|
|
|
|
placeholder for a single character and `\` may be used as an escape character.
|
|
|
|
|
|
|
|
|
|
* Regular Expressions - A more powerful syntax for matching more complex patterns. This regular expression is based on
|
|
|
|
|
Lucene's regexp automaton syntax. To enable this syntax, it must be wrapped within a pair of forward slashes (`/`).
|
|
|
|
|
Any pattern starting with `/` and not ending with `/` is considered to be malformed.
|
|
|
|
|
|
|
|
|
|
.Example Regular Expressions
|
|
|
|
|
[source,yaml]
|
|
|
|
|
------------------------------------------------------------------------------------
|
|
|
|
|
"foo-bar": all # match the literal `foo-bar`
|
|
|
|
|
"foo-*": all # match anything beginning with "foo-"
|
|
|
|
|
"logstash-201?-*": all # ? matches any one character
|
|
|
|
|
"/.*-201[0-9]-.*/": all # use a regex to match anything containing 2010-2019
|
|
|
|
|
"/foo": all # syntax error - missing final /
|
|
|
|
|
------------------------------------------------------------------------------------
|
|
|
|
|
|
2015-07-15 13:02:11 -04:00
|
|
|
TIP: Once the roles are defined, users can then be associated with any number of these roles. In
|
|
|
|
|
<<setting-up-authentication,Setting Up Authentication>> we'll learn more about authentication and see how users can be associated with the
|
2015-07-13 06:31:34 -04:00
|
|
|
configured roles.
|
2015-07-15 13:02:11 -04:00
|
|
|
|
2015-09-09 06:54:41 -04:00
|
|
|
The privileges can also directly be set on an index expression. This notation is useful if no other security features
|
|
|
|
|
are configured.
|
|
|
|
|
|
|
|
|
|
.Shorter privileges notation
|
|
|
|
|
[source,yaml]
|
|
|
|
|
---------------------------------------------------
|
|
|
|
|
# Only GET read action on index named events_index
|
|
|
|
|
get_user:
|
|
|
|
|
indices:
|
|
|
|
|
'events_index': 'indices:data/read/get'
|
|
|
|
|
---------------------------------------------------
|
|
|
|
|
|
2015-07-15 13:02:11 -04:00
|
|
|
include::granting-alias-privileges.asciidoc[]
|
|
|
|
|
|
Added document and field level security
This commit adds document and field level security to Shield.
Field level security can be enabled by adding the `fields` option to a role in the `role.yml` file.
For example:
```yaml
customer_care:
indices:
'*':
privileges: read
fields:
- issue_id
- description
- customer_handle
- customer_email
- customer_address
- customer_phone
```
The `fields` list is an inclusive list of fields that controls what fields should be accessible for that role. By default all meta fields (_uid, _type, _source, _ttl etc) are also included, otherwise ES or specific features stop working. The `_all` field if configured, isn't included by default, since that actually contains data from all the other fields. If the `_all` field is required then this needs to be added to the `fields` list in a role. In the case of the content of the `_source` field and `_field_names` there is special filtering in place so that only the content relevant for the role are being returned.
If no `fields` is specified then field level security is disabled for that role and all fields in an index are accessible.
Field level security can be setup per index group.
Field level security is implemented at the Lucene level by wrapping a directory index reader and hides fields away that aren't in the `field` list defined with the role of the current user. It as if the other fields never existed.
* Any `realtime` read operation from the translog is disabled. Instead this operations fall back to the Lucene index, which makes these operations compatible with field level security, but there aren't realtime.
* If user with role A executes first and the result gets cached and then a user with role B executes the same query results from the query executed with role A would be returned. This is bad and therefore the query cache is disabled.
* For the same reason the request cache is also disabled.
* The update API is blocked. An update request needs to be executed via a role that doesn't have field level security enabled.
Document level security can be enabled by adding the `query` option to a role in the `role.yml` file:
```yaml
customer_care:
indices:
'*':
privileges: read
query:
term:
department_id: 12
```
Document level security is implemented as a filter that filters out documents there don't match with the query. This is like index aliases, but better, because the role query is embedded on the lowest level possible in ES (Engine level) and on all places the acquire an IndexSearcher the role query will always be included. While alias filters are applied at a higher level (after the searcher has been acquired)
Document level security can be setup per index group.
Right now like alias filters the document level security isn't applied on all APIs. Like for example the get api, term vector api, which ignore the alias filter. These apis do acquire an IndexSearcher, but don't use the IndexSearcher itself and directly use the index reader to access the inverted index and there for bypassing the role query. If it is required to these apis need document level security too the the implementation for document level security needs to change.
Closes elastic/elasticsearch#341
Original commit: elastic/x-pack-elasticsearch@fac085dca6c3e1957eae0cf13d86ba93d20107c1
2015-08-27 11:53:10 -04:00
|
|
|
include::mapping-roles.asciidoc[]
|
|
|
|
|
|
2015-09-14 15:30:00 -04:00
|
|
|
include::setting-up-field-and-document-level-security.asciidoc[]
|
|
|
|
|
|
|
|
|
|
include::submitting-requests-for-other-users.asciidoc[]
|
