[DOCS] Add docs for Application Privileges (#32635)

This commit is contained in:
Tim Vernum 2018-08-24 11:04:02 +10:00 committed by Lisa Cawley
parent 8f16696fe1
commit a211d24bda
13 changed files with 495 additions and 30 deletions

View File

@ -539,3 +539,8 @@ You can use the following APIs to add, remove, and retrieve role mappings:
* <<security-api-put-role-mapping,Add role mappings>>, <<security-api-delete-role-mapping,Delete role mappings>> * <<security-api-put-role-mapping,Add role mappings>>, <<security-api-delete-role-mapping,Delete role mappings>>
* <<security-api-get-role-mapping,Get role mappings>> * <<security-api-get-role-mapping,Get role mappings>>
[role="exclude",id="security-api-privileges"]
=== Privilege APIs
See <<security-api-has-privileges>>.

View File

@ -750,3 +750,22 @@ setups['jacknich_user'] = '''
"metadata" : { "intelligence" : 7 } "metadata" : { "intelligence" : 7 }
} }
''' '''
setups['app0102_privileges'] = '''
- do:
xpack.security.put_privileges:
body: >
{
"myapp": {
"read": {
"application": "myapp",
"name": "read",
"actions": [
"data:read/*",
"action:login" ],
"metadata": {
"description": "Read access to myapp"
}
}
}
}
'''

View File

@ -6,28 +6,41 @@ You can use the following APIs to perform {security} activities.
* <<security-api-authenticate>> * <<security-api-authenticate>>
* <<security-api-clear-cache>> * <<security-api-clear-cache>>
* <<security-api-privileges>> * <<security-api-has-privileges>>
* <<security-api-ssl>> * <<security-api-ssl>>
[float] [float]
[[security-role-apis]] [[security-api-app-privileges]]
=== Roles === Application privileges
You can use the following APIs to add, remove, and retrieve roles in the native realm: You can use the following APIs to add, update, retrieve, and remove application
privileges:
* <<security-api-put-role,Create role>>, <<security-api-delete-role,Delete role>> * <<security-api-put-privileges,Create or update privileges>>
* <<security-api-clear-role-cache,Clear roles cache>> * <<security-api-delete-privilege,Delete privileges>>
* <<security-api-get-role,Get roles>> * <<security-api-get-privileges,Get privileges>>
[float] [float]
[[security-role-mapping-apis]] [[security-role-mapping-apis]]
=== Role mappings === Role mappings
You can use the following APIs to add, remove, and retrieve role mappings: You can use the following APIs to add, remove, update, and retrieve role mappings:
* <<security-api-put-role-mapping,Add role mappings>>, <<security-api-delete-role-mapping,Delete role mappings>> * <<security-api-put-role-mapping,Create or update role mappings>>
* <<security-api-delete-role-mapping,Delete role mappings>>
* <<security-api-get-role-mapping,Get role mappings>> * <<security-api-get-role-mapping,Get role mappings>>
[float]
[[security-role-apis]]
=== Roles
You can use the following APIs to add, remove, update, and retrieve roles in the native realm:
* <<security-api-put-role,Create or update roles>>
* <<security-api-clear-role-cache,Clear roles cache>>
* <<security-api-delete-role,Delete roles>>
* <<security-api-get-role,Get roles>>
[float] [float]
[[security-token-apis]] [[security-token-apis]]
=== Tokens === Tokens
@ -35,20 +48,25 @@ You can use the following APIs to add, remove, and retrieve role mappings:
You can use the following APIs to create and invalidate bearer tokens for access You can use the following APIs to create and invalidate bearer tokens for access
without requiring basic authentication: without requiring basic authentication:
* <<security-api-get-token,Get token>>, <<security-api-invalidate-token,Invalidate token>> * <<security-api-get-token,Get token>>
* <<security-api-invalidate-token,Invalidate token>>
[float] [float]
[[security-user-apis]] [[security-user-apis]]
=== Users === Users
You can use the following APIs to create, read, update, and delete users from the You can use the following APIs to add, remove, update, or retrieve users in the
native realm: native realm:
* <<security-api-put-user,Create users>>, <<security-api-delete-user,Delete users>> * <<security-api-put-user,Create or update users>>
* <<security-api-enable-user,Enable users>>, <<security-api-disable-user,Disable users>>
* <<security-api-change-password,Change passwords>> * <<security-api-change-password,Change passwords>>
* <<security-api-delete-user,Delete users>>
* <<security-api-disable-user,Disable users>>
* <<security-api-enable-user,Enable users>>
* <<security-api-get-user,Get users>> * <<security-api-get-user,Get users>>
include::security/put-app-privileges.asciidoc[]
include::security/authenticate.asciidoc[] include::security/authenticate.asciidoc[]
include::security/change-password.asciidoc[] include::security/change-password.asciidoc[]
include::security/clear-cache.asciidoc[] include::security/clear-cache.asciidoc[]
@ -56,15 +74,17 @@ include::security/create-role-mappings.asciidoc[]
include::security/clear-roles-cache.asciidoc[] include::security/clear-roles-cache.asciidoc[]
include::security/create-roles.asciidoc[] include::security/create-roles.asciidoc[]
include::security/create-users.asciidoc[] include::security/create-users.asciidoc[]
include::security/delete-app-privileges.asciidoc[]
include::security/delete-role-mappings.asciidoc[] include::security/delete-role-mappings.asciidoc[]
include::security/delete-roles.asciidoc[] include::security/delete-roles.asciidoc[]
include::security/delete-tokens.asciidoc[] include::security/delete-tokens.asciidoc[]
include::security/delete-users.asciidoc[] include::security/delete-users.asciidoc[]
include::security/disable-users.asciidoc[] include::security/disable-users.asciidoc[]
include::security/enable-users.asciidoc[] include::security/enable-users.asciidoc[]
include::security/get-app-privileges.asciidoc[]
include::security/get-role-mappings.asciidoc[] include::security/get-role-mappings.asciidoc[]
include::security/get-roles.asciidoc[] include::security/get-roles.asciidoc[]
include::security/get-tokens.asciidoc[] include::security/get-tokens.asciidoc[]
include::security/get-users.asciidoc[] include::security/get-users.asciidoc[]
include::security/privileges.asciidoc[] include::security/has-privileges.asciidoc[]
include::security/ssl.asciidoc[] include::security/ssl.asciidoc[]

View File

@ -1,8 +1,8 @@
[role="xpack"] [role="xpack"]
[[security-api-put-role-mapping]] [[security-api-put-role-mapping]]
=== Add role mappings API === Create or update role mappings API
Adds and updates role mappings. Creates and updates role mappings.
==== Request ==== Request

View File

@ -1,8 +1,8 @@
[role="xpack"] [role="xpack"]
[[security-api-put-role]] [[security-api-put-role]]
=== Create roles API === Create or update roles API
Adds roles in the native realm. Adds and updates roles in the native realm.
==== Request ==== Request
@ -29,9 +29,20 @@ file-based role management. For more information about the native realm, see
The following parameters can be specified in the body of a PUT or POST request The following parameters can be specified in the body of a PUT or POST request
and pertain to adding a role: and pertain to adding a role:
`applications`:: (list) A list of application privilege entries.
`application` (required)::: (string) The name of the application to which this entry applies
`privileges`::: (list) A list of strings, where each element is the name of an application
privilege or action.
`resources`::: (list) A list resources to which the privileges are applied.
`cluster`:: (list) A list of cluster privileges. These privileges define the `cluster`:: (list) A list of cluster privileges. These privileges define the
cluster level actions that users with this role are able to execute. cluster level actions that users with this role are able to execute.
`global`:: (object) An object defining global privileges. A global privilege is
a form of cluster privilege that is request-aware. Support for global privileges
is currently limited to the management of application privileges.
This field is optional.
`indices`:: (list) A list of indices permissions entries. `indices`:: (list) A list of indices permissions entries.
`field_security`::: (list) The document fields that the owners of the role have `field_security`::: (list) The document fields that the owners of the role have
read access to. For more information, see read access to. For more information, see
@ -79,6 +90,13 @@ POST /_xpack/security/role/my_admin_role
"query": "{\"match\": {\"title\": \"foo\"}}" // optional "query": "{\"match\": {\"title\": \"foo\"}}" // optional
} }
], ],
"applications": [
{
"application": "myapp",
"privileges": [ "admin", "read" ],
"resources": [ "*" ]
}
],
"run_as": [ "other_user" ], // optional "run_as": [ "other_user" ], // optional
"metadata" : { // optional "metadata" : { // optional
"version" : 1 "version" : 1

View File

@ -1,8 +1,8 @@
[role="xpack"] [role="xpack"]
[[security-api-put-user]] [[security-api-put-user]]
=== Create users API === Create or update users API
Creates and updates users in the native realm. These users are commonly referred Adds and updates users in the native realm. These users are commonly referred
to as _native users_. to as _native users_.

View File

@ -0,0 +1,59 @@
[role="xpack"]
[[security-api-delete-privilege]]
=== Delete application privileges API
Removes
{stack-ov}/security-privileges.html#application-privileges[application privileges].
==== Request
`DELETE /_xpack/security/privilege/<application>/<privilege>`
//==== Description
==== Path Parameters
`application` (required)::
(string) The name of the application. Application privileges are always
associated with exactly one application.
`privilege` (required)::
(string) The name of the privilege.
// ==== Request Body
==== Authorization
To use this API, you must have either:
- the `manage_security` cluster privilege (or a greater privilege such as `all`); _or_
- the _"Manage Application Privileges"_ global privilege for the application being referenced
in the request
==== Examples
The following example deletes the `read` application privilege from the
`myapp` application:
[source,js]
--------------------------------------------------
DELETE /_xpack/security/privilege/myapp/read
--------------------------------------------------
// CONSOLE
// TEST[setup:app0102_privileges]
If the role is successfully deleted, the request returns `{"found": true}`.
Otherwise, `found` is set to false.
[source,js]
--------------------------------------------------
{
"myapp": {
"read": {
"found" : true
}
}
}
--------------------------------------------------
// TESTRESPONSE

View File

@ -0,0 +1,94 @@
[role="xpack"]
[[security-api-get-privileges]]
=== Get application privileges API
Retrieves
{stack-ov}/security-privileges.html#application-privileges[application privileges].
==== Request
`GET /_xpack/security/privilege` +
`GET /_xpack/security/privilege/<application>` +
`GET /_xpack/security/privilege/<application>/<privilege>`
==== Description
To check a user's application privileges, use the
<<security-api-has-privileges,has privileges API>>.
==== Path Parameters
`application`::
(string) The name of the application. Application privileges are always
associated with exactly one application.
If you do not specify this parameter, the API returns information about all
privileges for all applications.
`privilege`::
(string) The name of the privilege. If you do not specify this parameter, the
API returns information about all privileges for the requested application.
//==== Request Body
==== Authorization
To use this API, you must have either:
- the `manage_security` cluster privilege (or a greater privilege such as `all`); _or_
- the _"Manage Application Privileges"_ global privilege for the application being referenced
in the request
==== Examples
The following example retrieves information about the `read` privilege for the
`app01` application:
[source,js]
--------------------------------------------------
GET /_xpack/security/privilege/myapp/read
--------------------------------------------------
// CONSOLE
// TEST[setup:app0102_privileges]
A successful call returns an object keyed by application name and privilege
name. If the privilege is not defined, the request responds with a 404 status.
[source,js]
--------------------------------------------------
{
"myapp": {
"read": {
"application": "myapp",
"name": "read",
"actions": [
"data:read/*",
"action:login"
],
"metadata": {
"description": "Read access to myapp"
}
}
}
}
--------------------------------------------------
// TESTRESPONSE
To retrieve all privileges for an application, omit the privilege name:
[source,js]
--------------------------------------------------
GET /_xpack/security/privilege/myapp/
--------------------------------------------------
// CONSOLE
To retrieve every privilege, omit both the application and privilege names:
[source,js]
--------------------------------------------------
GET /_xpack/security/privilege/
--------------------------------------------------
// CONSOLE

View File

@ -1,6 +1,6 @@
[role="xpack"] [role="xpack"]
[[security-api-privileges]] [[security-api-has-privileges]]
=== Privilege APIs === Has Privileges API
[[security-api-has-privilege]] [[security-api-has-privilege]]
@ -15,7 +15,7 @@ a specified list of privileges.
==== Description ==== Description
For a list of the privileges that you can specify in this API, For a list of the privileges that you can specify in this API,
see {xpack-ref}/security-privileges.html[Security Privileges]. see {stack-ov}/security-privileges.html[Security privileges].
A successful call returns a JSON structure that shows whether each specified A successful call returns a JSON structure that shows whether each specified
privilege is assigned to the user. privilege is assigned to the user.
@ -30,6 +30,14 @@ privilege is assigned to the user.
`privileges`::: (list) A list of the privileges that you want to check for the `privileges`::: (list) A list of the privileges that you want to check for the
specified indices. specified indices.
`application`::
`application`::: (string) The name of the application.
`privileges`::: (list) A list of the privileges that you want to check for the
specified resources. May be either application privilege names, or the names of
actions that are granted by those privileges
`resources`::: (list) A list of resource names against which the privileges
should be checked
==== Authorization ==== Authorization
All users can use this API, but only to determine their own privileges. All users can use this API, but only to determine their own privileges.
@ -41,7 +49,7 @@ more information, see
==== Examples ==== Examples
The following example checks whether the current user has a specific set of The following example checks whether the current user has a specific set of
cluster and indices privileges: cluster, index, and application privileges:
[source,js] [source,js]
-------------------------------------------------- --------------------------------------------------
@ -57,6 +65,13 @@ GET _xpack/security/user/_has_privileges
"names": [ "inventory" ], "names": [ "inventory" ],
"privileges" : [ "read", "write" ] "privileges" : [ "read", "write" ]
} }
],
"application": [
{
"application": "inventory_manager",
"privileges" : [ "read", "data:write/inventory" ],
"resources" : [ "product/1852563" ]
}
] ]
} }
-------------------------------------------------- --------------------------------------------------
@ -85,7 +100,14 @@ The following example output indicates which privileges the "rdeniro" user has:
"write" : false "write" : false
} }
}, },
"application" : {} "application" : {
"inventory_manager" : {
"product/1852563" : {
"read": false,
"data:write/inventory": false
}
}
}
} }
-------------------------------------------------- --------------------------------------------------
// TESTRESPONSE[s/"rdeniro"/"$body.username"/] // TESTRESPONSE[s/"rdeniro"/"$body.username"/]

View File

@ -0,0 +1,163 @@
[role="xpack"]
[[security-api-put-privileges]]
=== Create or update application privileges API
Adds or updates
{stack-ov}/security-privileges.html#application-privileges[application privileges].
==== Request
`POST /_xpack/security/privilege` +
`PUT /_xpack/security/privilege`
==== Description
This API creates or updates privileges. To remove privileges, use the
<<security-api-delete-privilege,delete application privilege API>>.
For more information, see
{stack-ov}/defining-roles.html#roles-application-priv[Application privileges].
To check a user's application privileges, use the
<<security-api-has-privileges,has privileges API>>.
==== Request Body
The body is a JSON object where the names of the fields are the application
names and the value of each field is an object. The fields in this inner
object are the names of the privileges and each value is a JSON object that
includes the following fields:
`actions`:: (array-of-string) A list of action names that are granted by this
privilege. This field must exist and cannot be an empty array.
`metadata`:: (object) Optional meta-data. Within the `metadata` object, keys
that begin with `_` are reserved for system usage.
[[security-api-app-privileges-validation]]
==== Validation
Application Names::
Application names are formed from a _prefix_, with an optional _suffix_ that
conform to the following rules:
* The prefix must begin with a lowercase ASCII letter
* The prefix must contain only ASCII letters or digits
* The prefix must be at least 3 characters long
* If the suffix exists, it must begin with either `-` or `_`
* The suffix cannot contain any of the following characters:
`\\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, `,`, `*`
* No part of the name can contain whitespace.
Privilege Names::
Privilege names must begin with a lowercase ASCII letter and must contain
only ASCII letters and digits along with the characters `_`, `-` and `.`
Action Names::
Action names can contain any number of printable ASCII characters and must
contain at least one of the following characters: `/` `*`, `:`
==== Authorization
To use this API, you must have either:
- the `manage_security` cluster privilege (or a greater privilege such as `all`); _or_
- the _"Manage Application Privileges"_ global privilege for the application being referenced
in the request
==== Examples
To add a single privilege, submit a PUT or POST request to the
`/_xpack/security/privilege/<application>/<privilege>` endpoint. For example:
[source,js]
--------------------------------------------------
PUT /_xpack/security/privilege
{
"myapp": {
"read": {
"actions": [ <1>
"data:read/*" , <2>
"action:login" ],
"metadata": { <3>
"description": "Read access to myapp"
}
}
}
}
--------------------------------------------------
// CONSOLE
<1> These strings have significance within the "myapp" application. {es} does not
assign any meaning to them.
<2> The use of a wildcard here (`*`) means that this privilege grants access to
all actions that start with `data:read/`. {es} does not assign any meaning
to these actions. However, if the request includes an application privilege
such as `data:read/users` or `data:read/settings`, the
<<security-api-has-privileges,has privileges API>> respects the use of a
wildcard and returns `true`.
<3> The metadata object is optional.
A successful call returns a JSON structure that shows whether the privilege has
been created or updated.
[source,js]
--------------------------------------------------
{
"myapp": {
"read": {
"created": true <1>
}
}
}
--------------------------------------------------
// TESTRESPONSE
<1> When an existing privilege is updated, `created` is set to false.
To add multiple privileges, submit a POST request to the
`/_xpack/security/privilege/` endpoint. For example:
[source,js]
--------------------------------------------------
PUT /_xpack/security/privilege
{
"app01": {
"read": {
"actions": [ "action:login", "data:read/*" ]
},
"write": {
"actions": [ "action:login", "data:write/*" ]
}
},
"app02": {
"all": {
"actions": [ "*" ]
}
}
}
--------------------------------------------------
// CONSOLE
A successful call returns a JSON structure that shows whether the privileges
have been created or updated.
[source,js]
--------------------------------------------------
{
"app02": {
"all": {
"created": true
}
},
"app01": {
"read": {
"created": true
},
"write": {
"created": true
}
}
}
--------------------------------------------------
// TESTRESPONSE

View File

@ -9,7 +9,10 @@ A role is defined by the following JSON structure:
{ {
"run_as": [ ... ], <1> "run_as": [ ... ], <1>
"cluster": [ ... ], <2> "cluster": [ ... ], <2>
"indices": [ ... ] <3> "global": { ... }, <3>
"indices": [ ... ], <4>
"applications": [ ... ] <5>
} }
----- -----
// NOTCONSOLE // NOTCONSOLE
@ -19,8 +22,15 @@ A role is defined by the following JSON structure:
cluster level actions users with this role are able to execute. This field cluster level actions users with this role are able to execute. This field
is optional (missing `cluster` privileges effectively mean no cluster level is optional (missing `cluster` privileges effectively mean no cluster level
permissions). permissions).
<3> A list of indices permissions entries. This field is optional (missing `indices` <3> An object defining global privileges. A global privilege is a form of
cluster privilege that is request sensitive. A standard cluster privilege
makes authorization decisions based solely on the action being executed.
A global privilege also considers the parameters included in the request.
Support for global privileges is currently limited to the management of
application privileges. This field is optional.
<4> A list of indices permissions entries. This field is optional (missing `indices`
privileges effectively mean no index level permissions). privileges effectively mean no index level permissions).
<5> A list of application privilege entries. This field is optional.
[[valid-role-name]] [[valid-role-name]]
NOTE: Role names must be at least 1 and no more than 1024 characters. They can NOTE: Role names must be at least 1 and no more than 1024 characters. They can
@ -28,6 +38,9 @@ NOTE: Role names must be at least 1 and no more than 1024 characters. They can
punctuation, and printable symbols in the https://en.wikipedia.org/wiki/Basic_Latin_(Unicode_block)[Basic Latin (ASCII) block]. punctuation, and printable symbols in the https://en.wikipedia.org/wiki/Basic_Latin_(Unicode_block)[Basic Latin (ASCII) block].
Leading or trailing whitespace is not allowed. Leading or trailing whitespace is not allowed.
[[roles-indices-priv]]
==== Indices Privileges
The following describes the structure of an indices permissions entry: The following describes the structure of an indices permissions entry:
[source,js] [source,js]
@ -77,8 +90,60 @@ names or regular expressions that refer to multiple indices.
------------------------------------------------------------------------------ ------------------------------------------------------------------------------
============================================================================== ==============================================================================
The following snippet shows an example definition of a `clicks_admin` role: [[roles-global-priv]]
==== Global Privileges
The following describes the structure of a global privileges entry:
[source,js]
-------
{
"application": {
"manage": { <1>
"applications": [ ... ] <2>
}
}
}
-------
// NOTCONSOLE
<1> The only supported global privilege is the ability to manage application
privileges
<2> The list of application names that may be managed. This list supports
wildcards (e.g. `"myapp-*"`) and regular expressions (e.g.
`"/app[0-9]*/"`)
[[roles-application-priv]]
==== Application Privileges
The following describes the structure of an application privileges entry:
[source,js]
-------
{
"application": "my_app", <1>
"privileges": [ ... ], <2>
"resources": [ ... ] <3>
}
-------
// NOTCONSOLE
<1> The name of the application.
<2> The list of the names of the application privileges to grant to this role.
<3> The resources to which those privileges apply. These are handled in the same
way as index name pattern in `indices` permissions. These resources do not
have any special meaning to {security}.
For details about the validation rules for these fields, see the
{ref}/security-api-put-privileges.html[add application privileges API].
A role may refer to application privileges that do not exist - that is, they
have not yet been defined through the add application privileges API (or they
were defined, but have since been deleted). In this case, the privilege has
no effect, and will not grant any actions in the
{ref}/security-api-has-privileges.html[has privileges API].
==== Example
The following snippet shows an example definition of a `clicks_admin` role:
[source,js] [source,js]
----------- -----------
POST /_xpack/security/role/clicks_admin POST /_xpack/security/role/clicks_admin

View File

@ -1,6 +1,6 @@
{ {
"xpack.security.has_privileges": { "xpack.security.has_privileges": {
"documentation": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-privileges.html", "documentation": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-has-privileges.html",
"methods": [ "GET", "POST" ], "methods": [ "GET", "POST" ],
"url": { "url": {
"path": "/_xpack/security/user/_has_privileges", "path": "/_xpack/security/user/_has_privileges",