[DOCS] Add docs for Application Privileges (#32635)
This commit is contained in:
parent
8f16696fe1
commit
a211d24bda
|
@ -538,4 +538,9 @@ native realm:
|
|||
You can use the following APIs to add, remove, and retrieve role mappings:
|
||||
|
||||
* <<security-api-put-role-mapping,Add role mappings>>, <<security-api-delete-role-mapping,Delete role mappings>>
|
||||
* <<security-api-get-role-mapping,Get role mappings>>
|
||||
* <<security-api-get-role-mapping,Get role mappings>>
|
||||
|
||||
[role="exclude",id="security-api-privileges"]
|
||||
=== Privilege APIs
|
||||
|
||||
See <<security-api-has-privileges>>.
|
||||
|
|
|
@ -750,3 +750,22 @@ setups['jacknich_user'] = '''
|
|||
"metadata" : { "intelligence" : 7 }
|
||||
}
|
||||
'''
|
||||
setups['app0102_privileges'] = '''
|
||||
- do:
|
||||
xpack.security.put_privileges:
|
||||
body: >
|
||||
{
|
||||
"myapp": {
|
||||
"read": {
|
||||
"application": "myapp",
|
||||
"name": "read",
|
||||
"actions": [
|
||||
"data:read/*",
|
||||
"action:login" ],
|
||||
"metadata": {
|
||||
"description": "Read access to myapp"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
'''
|
||||
|
|
|
@ -6,28 +6,41 @@ You can use the following APIs to perform {security} activities.
|
|||
|
||||
* <<security-api-authenticate>>
|
||||
* <<security-api-clear-cache>>
|
||||
* <<security-api-privileges>>
|
||||
* <<security-api-has-privileges>>
|
||||
* <<security-api-ssl>>
|
||||
|
||||
[float]
|
||||
[[security-role-apis]]
|
||||
=== Roles
|
||||
[[security-api-app-privileges]]
|
||||
=== Application privileges
|
||||
|
||||
You can use the following APIs to add, remove, and retrieve roles in the native realm:
|
||||
You can use the following APIs to add, update, retrieve, and remove application
|
||||
privileges:
|
||||
|
||||
* <<security-api-put-role,Create role>>, <<security-api-delete-role,Delete role>>
|
||||
* <<security-api-clear-role-cache,Clear roles cache>>
|
||||
* <<security-api-get-role,Get roles>>
|
||||
* <<security-api-put-privileges,Create or update privileges>>
|
||||
* <<security-api-delete-privilege,Delete privileges>>
|
||||
* <<security-api-get-privileges,Get privileges>>
|
||||
|
||||
[float]
|
||||
[[security-role-mapping-apis]]
|
||||
=== Role mappings
|
||||
|
||||
You can use the following APIs to add, remove, and retrieve role mappings:
|
||||
You can use the following APIs to add, remove, update, and retrieve role mappings:
|
||||
|
||||
* <<security-api-put-role-mapping,Add role mappings>>, <<security-api-delete-role-mapping,Delete role mappings>>
|
||||
* <<security-api-put-role-mapping,Create or update role mappings>>
|
||||
* <<security-api-delete-role-mapping,Delete role mappings>>
|
||||
* <<security-api-get-role-mapping,Get role mappings>>
|
||||
|
||||
[float]
|
||||
[[security-role-apis]]
|
||||
=== Roles
|
||||
|
||||
You can use the following APIs to add, remove, update, and retrieve roles in the native realm:
|
||||
|
||||
* <<security-api-put-role,Create or update roles>>
|
||||
* <<security-api-clear-role-cache,Clear roles cache>>
|
||||
* <<security-api-delete-role,Delete roles>>
|
||||
* <<security-api-get-role,Get roles>>
|
||||
|
||||
[float]
|
||||
[[security-token-apis]]
|
||||
=== Tokens
|
||||
|
@ -35,20 +48,25 @@ You can use the following APIs to add, remove, and retrieve role mappings:
|
|||
You can use the following APIs to create and invalidate bearer tokens for access
|
||||
without requiring basic authentication:
|
||||
|
||||
* <<security-api-get-token,Get token>>, <<security-api-invalidate-token,Invalidate token>>
|
||||
* <<security-api-get-token,Get token>>
|
||||
* <<security-api-invalidate-token,Invalidate token>>
|
||||
|
||||
[float]
|
||||
[[security-user-apis]]
|
||||
=== Users
|
||||
|
||||
You can use the following APIs to create, read, update, and delete users from the
|
||||
You can use the following APIs to add, remove, update, or retrieve users in the
|
||||
native realm:
|
||||
|
||||
* <<security-api-put-user,Create users>>, <<security-api-delete-user,Delete users>>
|
||||
* <<security-api-enable-user,Enable users>>, <<security-api-disable-user,Disable users>>
|
||||
* <<security-api-put-user,Create or update users>>
|
||||
* <<security-api-change-password,Change passwords>>
|
||||
* <<security-api-delete-user,Delete users>>
|
||||
* <<security-api-disable-user,Disable users>>
|
||||
* <<security-api-enable-user,Enable users>>
|
||||
* <<security-api-get-user,Get users>>
|
||||
|
||||
|
||||
include::security/put-app-privileges.asciidoc[]
|
||||
include::security/authenticate.asciidoc[]
|
||||
include::security/change-password.asciidoc[]
|
||||
include::security/clear-cache.asciidoc[]
|
||||
|
@ -56,15 +74,17 @@ include::security/create-role-mappings.asciidoc[]
|
|||
include::security/clear-roles-cache.asciidoc[]
|
||||
include::security/create-roles.asciidoc[]
|
||||
include::security/create-users.asciidoc[]
|
||||
include::security/delete-app-privileges.asciidoc[]
|
||||
include::security/delete-role-mappings.asciidoc[]
|
||||
include::security/delete-roles.asciidoc[]
|
||||
include::security/delete-tokens.asciidoc[]
|
||||
include::security/delete-users.asciidoc[]
|
||||
include::security/disable-users.asciidoc[]
|
||||
include::security/enable-users.asciidoc[]
|
||||
include::security/get-app-privileges.asciidoc[]
|
||||
include::security/get-role-mappings.asciidoc[]
|
||||
include::security/get-roles.asciidoc[]
|
||||
include::security/get-tokens.asciidoc[]
|
||||
include::security/get-users.asciidoc[]
|
||||
include::security/privileges.asciidoc[]
|
||||
include::security/has-privileges.asciidoc[]
|
||||
include::security/ssl.asciidoc[]
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
[role="xpack"]
|
||||
[[security-api-put-role-mapping]]
|
||||
=== Add role mappings API
|
||||
=== Create or update role mappings API
|
||||
|
||||
Adds and updates role mappings.
|
||||
Creates and updates role mappings.
|
||||
|
||||
==== Request
|
||||
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
[role="xpack"]
|
||||
[[security-api-put-role]]
|
||||
=== Create roles API
|
||||
=== Create or update roles API
|
||||
|
||||
Adds roles in the native realm.
|
||||
Adds and updates roles in the native realm.
|
||||
|
||||
==== Request
|
||||
|
||||
|
@ -29,9 +29,20 @@ file-based role management. For more information about the native realm, see
|
|||
The following parameters can be specified in the body of a PUT or POST request
|
||||
and pertain to adding a role:
|
||||
|
||||
`applications`:: (list) A list of application privilege entries.
|
||||
`application` (required)::: (string) The name of the application to which this entry applies
|
||||
`privileges`::: (list) A list of strings, where each element is the name of an application
|
||||
privilege or action.
|
||||
`resources`::: (list) A list resources to which the privileges are applied.
|
||||
|
||||
`cluster`:: (list) A list of cluster privileges. These privileges define the
|
||||
cluster level actions that users with this role are able to execute.
|
||||
|
||||
`global`:: (object) An object defining global privileges. A global privilege is
|
||||
a form of cluster privilege that is request-aware. Support for global privileges
|
||||
is currently limited to the management of application privileges.
|
||||
This field is optional.
|
||||
|
||||
`indices`:: (list) A list of indices permissions entries.
|
||||
`field_security`::: (list) The document fields that the owners of the role have
|
||||
read access to. For more information, see
|
||||
|
@ -79,6 +90,13 @@ POST /_xpack/security/role/my_admin_role
|
|||
"query": "{\"match\": {\"title\": \"foo\"}}" // optional
|
||||
}
|
||||
],
|
||||
"applications": [
|
||||
{
|
||||
"application": "myapp",
|
||||
"privileges": [ "admin", "read" ],
|
||||
"resources": [ "*" ]
|
||||
}
|
||||
],
|
||||
"run_as": [ "other_user" ], // optional
|
||||
"metadata" : { // optional
|
||||
"version" : 1
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
[role="xpack"]
|
||||
[[security-api-put-user]]
|
||||
=== Create users API
|
||||
=== Create or update users API
|
||||
|
||||
Creates and updates users in the native realm. These users are commonly referred
|
||||
Adds and updates users in the native realm. These users are commonly referred
|
||||
to as _native users_.
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,59 @@
|
|||
[role="xpack"]
|
||||
[[security-api-delete-privilege]]
|
||||
=== Delete application privileges API
|
||||
|
||||
Removes
|
||||
{stack-ov}/security-privileges.html#application-privileges[application privileges].
|
||||
|
||||
==== Request
|
||||
|
||||
`DELETE /_xpack/security/privilege/<application>/<privilege>`
|
||||
|
||||
//==== Description
|
||||
|
||||
==== Path Parameters
|
||||
|
||||
`application` (required)::
|
||||
(string) The name of the application. Application privileges are always
|
||||
associated with exactly one application.
|
||||
|
||||
`privilege` (required)::
|
||||
(string) The name of the privilege.
|
||||
|
||||
// ==== Request Body
|
||||
|
||||
==== Authorization
|
||||
|
||||
To use this API, you must have either:
|
||||
|
||||
- the `manage_security` cluster privilege (or a greater privilege such as `all`); _or_
|
||||
- the _"Manage Application Privileges"_ global privilege for the application being referenced
|
||||
in the request
|
||||
|
||||
==== Examples
|
||||
|
||||
The following example deletes the `read` application privilege from the
|
||||
`myapp` application:
|
||||
|
||||
[source,js]
|
||||
--------------------------------------------------
|
||||
DELETE /_xpack/security/privilege/myapp/read
|
||||
--------------------------------------------------
|
||||
// CONSOLE
|
||||
// TEST[setup:app0102_privileges]
|
||||
|
||||
If the role is successfully deleted, the request returns `{"found": true}`.
|
||||
Otherwise, `found` is set to false.
|
||||
|
||||
[source,js]
|
||||
--------------------------------------------------
|
||||
{
|
||||
"myapp": {
|
||||
"read": {
|
||||
"found" : true
|
||||
}
|
||||
}
|
||||
}
|
||||
--------------------------------------------------
|
||||
// TESTRESPONSE
|
||||
|
|
@ -0,0 +1,94 @@
|
|||
[role="xpack"]
|
||||
[[security-api-get-privileges]]
|
||||
=== Get application privileges API
|
||||
|
||||
Retrieves
|
||||
{stack-ov}/security-privileges.html#application-privileges[application privileges].
|
||||
|
||||
==== Request
|
||||
|
||||
`GET /_xpack/security/privilege` +
|
||||
|
||||
`GET /_xpack/security/privilege/<application>` +
|
||||
|
||||
`GET /_xpack/security/privilege/<application>/<privilege>`
|
||||
|
||||
|
||||
==== Description
|
||||
|
||||
To check a user's application privileges, use the
|
||||
<<security-api-has-privileges,has privileges API>>.
|
||||
|
||||
|
||||
==== Path Parameters
|
||||
|
||||
`application`::
|
||||
(string) The name of the application. Application privileges are always
|
||||
associated with exactly one application.
|
||||
If you do not specify this parameter, the API returns information about all
|
||||
privileges for all applications.
|
||||
|
||||
`privilege`::
|
||||
(string) The name of the privilege. If you do not specify this parameter, the
|
||||
API returns information about all privileges for the requested application.
|
||||
|
||||
//==== Request Body
|
||||
|
||||
==== Authorization
|
||||
|
||||
To use this API, you must have either:
|
||||
|
||||
- the `manage_security` cluster privilege (or a greater privilege such as `all`); _or_
|
||||
- the _"Manage Application Privileges"_ global privilege for the application being referenced
|
||||
in the request
|
||||
|
||||
==== Examples
|
||||
|
||||
The following example retrieves information about the `read` privilege for the
|
||||
`app01` application:
|
||||
|
||||
[source,js]
|
||||
--------------------------------------------------
|
||||
GET /_xpack/security/privilege/myapp/read
|
||||
--------------------------------------------------
|
||||
// CONSOLE
|
||||
// TEST[setup:app0102_privileges]
|
||||
|
||||
A successful call returns an object keyed by application name and privilege
|
||||
name. If the privilege is not defined, the request responds with a 404 status.
|
||||
|
||||
[source,js]
|
||||
--------------------------------------------------
|
||||
{
|
||||
"myapp": {
|
||||
"read": {
|
||||
"application": "myapp",
|
||||
"name": "read",
|
||||
"actions": [
|
||||
"data:read/*",
|
||||
"action:login"
|
||||
],
|
||||
"metadata": {
|
||||
"description": "Read access to myapp"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
--------------------------------------------------
|
||||
// TESTRESPONSE
|
||||
|
||||
To retrieve all privileges for an application, omit the privilege name:
|
||||
|
||||
[source,js]
|
||||
--------------------------------------------------
|
||||
GET /_xpack/security/privilege/myapp/
|
||||
--------------------------------------------------
|
||||
// CONSOLE
|
||||
|
||||
To retrieve every privilege, omit both the application and privilege names:
|
||||
|
||||
[source,js]
|
||||
--------------------------------------------------
|
||||
GET /_xpack/security/privilege/
|
||||
--------------------------------------------------
|
||||
// CONSOLE
|
|
@ -1,6 +1,6 @@
|
|||
[role="xpack"]
|
||||
[[security-api-privileges]]
|
||||
=== Privilege APIs
|
||||
[[security-api-has-privileges]]
|
||||
=== Has Privileges API
|
||||
|
||||
[[security-api-has-privilege]]
|
||||
|
||||
|
@ -15,7 +15,7 @@ a specified list of privileges.
|
|||
==== Description
|
||||
|
||||
For a list of the privileges that you can specify in this API,
|
||||
see {xpack-ref}/security-privileges.html[Security Privileges].
|
||||
see {stack-ov}/security-privileges.html[Security privileges].
|
||||
|
||||
A successful call returns a JSON structure that shows whether each specified
|
||||
privilege is assigned to the user.
|
||||
|
@ -30,6 +30,14 @@ privilege is assigned to the user.
|
|||
`privileges`::: (list) A list of the privileges that you want to check for the
|
||||
specified indices.
|
||||
|
||||
`application`::
|
||||
`application`::: (string) The name of the application.
|
||||
`privileges`::: (list) A list of the privileges that you want to check for the
|
||||
specified resources. May be either application privilege names, or the names of
|
||||
actions that are granted by those privileges
|
||||
`resources`::: (list) A list of resource names against which the privileges
|
||||
should be checked
|
||||
|
||||
==== Authorization
|
||||
|
||||
All users can use this API, but only to determine their own privileges.
|
||||
|
@ -41,7 +49,7 @@ more information, see
|
|||
==== Examples
|
||||
|
||||
The following example checks whether the current user has a specific set of
|
||||
cluster and indices privileges:
|
||||
cluster, index, and application privileges:
|
||||
|
||||
[source,js]
|
||||
--------------------------------------------------
|
||||
|
@ -57,6 +65,13 @@ GET _xpack/security/user/_has_privileges
|
|||
"names": [ "inventory" ],
|
||||
"privileges" : [ "read", "write" ]
|
||||
}
|
||||
],
|
||||
"application": [
|
||||
{
|
||||
"application": "inventory_manager",
|
||||
"privileges" : [ "read", "data:write/inventory" ],
|
||||
"resources" : [ "product/1852563" ]
|
||||
}
|
||||
]
|
||||
}
|
||||
--------------------------------------------------
|
||||
|
@ -85,7 +100,14 @@ The following example output indicates which privileges the "rdeniro" user has:
|
|||
"write" : false
|
||||
}
|
||||
},
|
||||
"application" : {}
|
||||
"application" : {
|
||||
"inventory_manager" : {
|
||||
"product/1852563" : {
|
||||
"read": false,
|
||||
"data:write/inventory": false
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
--------------------------------------------------
|
||||
// TESTRESPONSE[s/"rdeniro"/"$body.username"/]
|
|
@ -0,0 +1,163 @@
|
|||
[role="xpack"]
|
||||
[[security-api-put-privileges]]
|
||||
=== Create or update application privileges API
|
||||
|
||||
Adds or updates
|
||||
{stack-ov}/security-privileges.html#application-privileges[application privileges].
|
||||
|
||||
==== Request
|
||||
|
||||
`POST /_xpack/security/privilege` +
|
||||
|
||||
`PUT /_xpack/security/privilege`
|
||||
|
||||
|
||||
==== Description
|
||||
|
||||
This API creates or updates privileges. To remove privileges, use the
|
||||
<<security-api-delete-privilege,delete application privilege API>>.
|
||||
|
||||
For more information, see
|
||||
{stack-ov}/defining-roles.html#roles-application-priv[Application privileges].
|
||||
|
||||
To check a user's application privileges, use the
|
||||
<<security-api-has-privileges,has privileges API>>.
|
||||
|
||||
==== Request Body
|
||||
|
||||
The body is a JSON object where the names of the fields are the application
|
||||
names and the value of each field is an object. The fields in this inner
|
||||
object are the names of the privileges and each value is a JSON object that
|
||||
includes the following fields:
|
||||
|
||||
`actions`:: (array-of-string) A list of action names that are granted by this
|
||||
privilege. This field must exist and cannot be an empty array.
|
||||
|
||||
`metadata`:: (object) Optional meta-data. Within the `metadata` object, keys
|
||||
that begin with `_` are reserved for system usage.
|
||||
|
||||
|
||||
[[security-api-app-privileges-validation]]
|
||||
==== Validation
|
||||
|
||||
Application Names::
|
||||
Application names are formed from a _prefix_, with an optional _suffix_ that
|
||||
conform to the following rules:
|
||||
* The prefix must begin with a lowercase ASCII letter
|
||||
* The prefix must contain only ASCII letters or digits
|
||||
* The prefix must be at least 3 characters long
|
||||
* If the suffix exists, it must begin with either `-` or `_`
|
||||
* The suffix cannot contain any of the following characters:
|
||||
`\\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, `,`, `*`
|
||||
* No part of the name can contain whitespace.
|
||||
|
||||
Privilege Names::
|
||||
Privilege names must begin with a lowercase ASCII letter and must contain
|
||||
only ASCII letters and digits along with the characters `_`, `-` and `.`
|
||||
|
||||
Action Names::
|
||||
Action names can contain any number of printable ASCII characters and must
|
||||
contain at least one of the following characters: `/` `*`, `:`
|
||||
|
||||
==== Authorization
|
||||
|
||||
To use this API, you must have either:
|
||||
|
||||
- the `manage_security` cluster privilege (or a greater privilege such as `all`); _or_
|
||||
- the _"Manage Application Privileges"_ global privilege for the application being referenced
|
||||
in the request
|
||||
|
||||
==== Examples
|
||||
|
||||
To add a single privilege, submit a PUT or POST request to the
|
||||
`/_xpack/security/privilege/<application>/<privilege>` endpoint. For example:
|
||||
|
||||
[source,js]
|
||||
--------------------------------------------------
|
||||
PUT /_xpack/security/privilege
|
||||
{
|
||||
"myapp": {
|
||||
"read": {
|
||||
"actions": [ <1>
|
||||
"data:read/*" , <2>
|
||||
"action:login" ],
|
||||
"metadata": { <3>
|
||||
"description": "Read access to myapp"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
--------------------------------------------------
|
||||
// CONSOLE
|
||||
<1> These strings have significance within the "myapp" application. {es} does not
|
||||
assign any meaning to them.
|
||||
<2> The use of a wildcard here (`*`) means that this privilege grants access to
|
||||
all actions that start with `data:read/`. {es} does not assign any meaning
|
||||
to these actions. However, if the request includes an application privilege
|
||||
such as `data:read/users` or `data:read/settings`, the
|
||||
<<security-api-has-privileges,has privileges API>> respects the use of a
|
||||
wildcard and returns `true`.
|
||||
<3> The metadata object is optional.
|
||||
|
||||
A successful call returns a JSON structure that shows whether the privilege has
|
||||
been created or updated.
|
||||
|
||||
[source,js]
|
||||
--------------------------------------------------
|
||||
{
|
||||
"myapp": {
|
||||
"read": {
|
||||
"created": true <1>
|
||||
}
|
||||
}
|
||||
}
|
||||
--------------------------------------------------
|
||||
// TESTRESPONSE
|
||||
<1> When an existing privilege is updated, `created` is set to false.
|
||||
|
||||
To add multiple privileges, submit a POST request to the
|
||||
`/_xpack/security/privilege/` endpoint. For example:
|
||||
|
||||
[source,js]
|
||||
--------------------------------------------------
|
||||
PUT /_xpack/security/privilege
|
||||
{
|
||||
"app01": {
|
||||
"read": {
|
||||
"actions": [ "action:login", "data:read/*" ]
|
||||
},
|
||||
"write": {
|
||||
"actions": [ "action:login", "data:write/*" ]
|
||||
}
|
||||
},
|
||||
"app02": {
|
||||
"all": {
|
||||
"actions": [ "*" ]
|
||||
}
|
||||
}
|
||||
}
|
||||
--------------------------------------------------
|
||||
// CONSOLE
|
||||
|
||||
A successful call returns a JSON structure that shows whether the privileges
|
||||
have been created or updated.
|
||||
|
||||
[source,js]
|
||||
--------------------------------------------------
|
||||
{
|
||||
"app02": {
|
||||
"all": {
|
||||
"created": true
|
||||
}
|
||||
},
|
||||
"app01": {
|
||||
"read": {
|
||||
"created": true
|
||||
},
|
||||
"write": {
|
||||
"created": true
|
||||
}
|
||||
}
|
||||
}
|
||||
--------------------------------------------------
|
||||
// TESTRESPONSE
|
|
@ -9,7 +9,10 @@ A role is defined by the following JSON structure:
|
|||
{
|
||||
"run_as": [ ... ], <1>
|
||||
"cluster": [ ... ], <2>
|
||||
"indices": [ ... ] <3>
|
||||
"global": { ... }, <3>
|
||||
"indices": [ ... ], <4>
|
||||
"applications": [ ... ] <5>
|
||||
|
||||
}
|
||||
-----
|
||||
// NOTCONSOLE
|
||||
|
@ -19,8 +22,15 @@ A role is defined by the following JSON structure:
|
|||
cluster level actions users with this role are able to execute. This field
|
||||
is optional (missing `cluster` privileges effectively mean no cluster level
|
||||
permissions).
|
||||
<3> A list of indices permissions entries. This field is optional (missing `indices`
|
||||
<3> An object defining global privileges. A global privilege is a form of
|
||||
cluster privilege that is request sensitive. A standard cluster privilege
|
||||
makes authorization decisions based solely on the action being executed.
|
||||
A global privilege also considers the parameters included in the request.
|
||||
Support for global privileges is currently limited to the management of
|
||||
application privileges. This field is optional.
|
||||
<4> A list of indices permissions entries. This field is optional (missing `indices`
|
||||
privileges effectively mean no index level permissions).
|
||||
<5> A list of application privilege entries. This field is optional.
|
||||
|
||||
[[valid-role-name]]
|
||||
NOTE: Role names must be at least 1 and no more than 1024 characters. They can
|
||||
|
@ -28,6 +38,9 @@ NOTE: Role names must be at least 1 and no more than 1024 characters. They can
|
|||
punctuation, and printable symbols in the https://en.wikipedia.org/wiki/Basic_Latin_(Unicode_block)[Basic Latin (ASCII) block].
|
||||
Leading or trailing whitespace is not allowed.
|
||||
|
||||
[[roles-indices-priv]]
|
||||
==== Indices Privileges
|
||||
|
||||
The following describes the structure of an indices permissions entry:
|
||||
|
||||
[source,js]
|
||||
|
@ -77,8 +90,60 @@ names or regular expressions that refer to multiple indices.
|
|||
------------------------------------------------------------------------------
|
||||
==============================================================================
|
||||
|
||||
The following snippet shows an example definition of a `clicks_admin` role:
|
||||
[[roles-global-priv]]
|
||||
==== Global Privileges
|
||||
The following describes the structure of a global privileges entry:
|
||||
|
||||
[source,js]
|
||||
-------
|
||||
{
|
||||
"application": {
|
||||
"manage": { <1>
|
||||
"applications": [ ... ] <2>
|
||||
}
|
||||
}
|
||||
}
|
||||
-------
|
||||
// NOTCONSOLE
|
||||
|
||||
<1> The only supported global privilege is the ability to manage application
|
||||
privileges
|
||||
<2> The list of application names that may be managed. This list supports
|
||||
wildcards (e.g. `"myapp-*"`) and regular expressions (e.g.
|
||||
`"/app[0-9]*/"`)
|
||||
|
||||
[[roles-application-priv]]
|
||||
==== Application Privileges
|
||||
The following describes the structure of an application privileges entry:
|
||||
|
||||
[source,js]
|
||||
-------
|
||||
{
|
||||
"application": "my_app", <1>
|
||||
"privileges": [ ... ], <2>
|
||||
"resources": [ ... ] <3>
|
||||
}
|
||||
-------
|
||||
// NOTCONSOLE
|
||||
|
||||
<1> The name of the application.
|
||||
<2> The list of the names of the application privileges to grant to this role.
|
||||
<3> The resources to which those privileges apply. These are handled in the same
|
||||
way as index name pattern in `indices` permissions. These resources do not
|
||||
have any special meaning to {security}.
|
||||
|
||||
For details about the validation rules for these fields, see the
|
||||
{ref}/security-api-put-privileges.html[add application privileges API].
|
||||
|
||||
A role may refer to application privileges that do not exist - that is, they
|
||||
have not yet been defined through the add application privileges API (or they
|
||||
were defined, but have since been deleted). In this case, the privilege has
|
||||
no effect, and will not grant any actions in the
|
||||
{ref}/security-api-has-privileges.html[has privileges API].
|
||||
|
||||
==== Example
|
||||
|
||||
The following snippet shows an example definition of a `clicks_admin` role:
|
||||
[source,js]
|
||||
-----------
|
||||
POST /_xpack/security/role/clicks_admin
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"xpack.security.has_privileges": {
|
||||
"documentation": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-privileges.html",
|
||||
"documentation": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-has-privileges.html",
|
||||
"methods": [ "GET", "POST" ],
|
||||
"url": {
|
||||
"path": "/_xpack/security/user/_has_privileges",
|
||||
|
|
Loading…
Reference in New Issue