Use the more verbose format in the default roles.yml and docs.

Closes elastic/elasticsearch#529 Original commit: elastic/x-pack-elasticsearch@9bde530a9c
2015-09-09 12:54:41 +02:00 · 2015-09-09 12:54:41 +02:00 · fd4058f921
parent 14c21786ee
commit fd4058f921
3 changed files with 42 additions and 41 deletions
--- a/shield/config/shield/roles.yml
+++ b/shield/config/shield/roles.yml
@ -1,19 +1,22 @@
 admin:
  cluster: all
  indices:
-    '*': all
+    '*':
+      privileges: all

 # monitoring cluster privileges
 # All operations on all indices
 power_user:
  cluster: monitor
  indices:
-    '*': all
+    '*':
+      privileges: all

 # Read-only operations on indices
 user:
  indices:
-    '*': read
+    '*':
+      privileges: read

 # Defines the required permissions for transport clients
 transport_client:
@ -26,8 +29,10 @@ transport_client:
 kibana3:
  cluster: cluster:monitor/nodes/info
  indices:
-    '*': indices:data/read/search, indices:data/read/get, indices:admin/get
-    'kibana-int': indices:data/read/search, indices:data/read/get, indices:data/write/delete, indices:data/write/index, create_index
+    '*':
+      privileges: indices:data/read/search, indices:data/read/get, indices:admin/get
+    'kibana-int':
+      privileges: indices:data/read/search, indices:data/read/get, indices:data/write/delete, indices:data/write/index, create_index

 # The required permissions for kibana 4 users.
 kibana4:
@ -36,24 +41,9 @@ kibana4:
      - cluster:monitor/health 
  indices:
    '*':
-      - indices:admin/mappings/fields/get
-      - indices:admin/validate/query
-      - indices:data/read/search
-      - indices:data/read/msearch
-      - indices:admin/get 
+      privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:admin/get
    '.kibana':
-      - indices:admin/exists
-      - indices:admin/mapping/put
-      - indices:admin/mappings/fields/get
-      - indices:admin/refresh
-      - indices:admin/validate/query
-      - indices:data/read/get
-      - indices:data/read/mget
-      - indices:data/read/search
-      - indices:data/write/delete
-      - indices:data/write/index
-      - indices:data/write/update
-      - indices:admin/create
+      privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update, indices:admin/create

 # The required permissions for the kibana 4 server
 kibana4_server:
@ -62,33 +52,26 @@ kibana4_server:
      - cluster:monitor/health
  indices:
    '.kibana':
-      - indices:admin/exists
-      - indices:admin/mapping/put
-      - indices:admin/mappings/fields/get
-      - indices:admin/refresh
-      - indices:admin/validate/query
-      - indices:data/read/get
-      - indices:data/read/mget
-      - indices:data/read/search
-      - indices:data/write/delete
-      - indices:data/write/index
-      - indices:data/write/update
+      privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update

 # The required role for logstash users
 logstash:
  cluster: indices:admin/template/get, indices:admin/template/put
  indices:
-    'logstash-*': indices:data/write/bulk, indices:data/write/delete, indices:data/write/update, indices:data/read/search, indices:data/read/scroll, create_index
+    'logstash-*':
+      privileges: indices:data/write/bulk, indices:data/write/delete, indices:data/write/update, indices:data/read/search, indices:data/read/scroll, create_index

 # Marvel role, allowing all operations
 # on the marvel indices
 marvel_user:
  cluster: cluster:monitor/nodes/info, cluster:admin/plugin/license/get
  indices:
-    '.marvel-*': all
+    '.marvel-*':
+      privileges: all

 # Marvel Agent users
 marvel_agent:
  cluster: indices:admin/template/get, indices:admin/template/put
  indices:
-    '.marvel-*': indices:data/write/bulk, create_index
+    '.marvel-*':
+      privileges: indices:data/write/bulk, create_index
--- a/shield/docs/public/configuring-rbac.asciidoc
+++ b/shield/docs/public/configuring-rbac.asciidoc
@ -47,24 +47,28 @@ The following snippet shows an example configuration:
 admin:
  cluster: all
  indices:
-    '*': all
+    '*':
+      privileges: all

 # Monitoring cluster privileges
 # All operations on all indices
 power_user:
  cluster: monitor
  indices:
-    '*': all
+    '*':
+      privileges: all

 # Only read operations on indices
 user:
  indices:
-    '*': read
+    '*':
+      privileges: read

 # Only read operations on indices named events_*
 events_user:
  indices:
-    'events_*': read
+    'events_*':
+      privileges: read
 -----------------------------------

 [[valid-role-name]]
@ -100,7 +104,8 @@ The role in the following example allows access to document `GET` actions for a
 # Only GET read action on index named events_index
 get_user:
  indices:
-    'events_index': 'indices:data/read/get'
+    'events_index':
+      privileges: 'indices:data/read/get'
 ---------------------------------------------------

 See the complete list of available <<ref-actions-list, cluster and indices actions>>.
@ -129,6 +134,18 @@ TIP: Once the roles are defined, users can then be associated with any number of
 <<setting-up-authentication,Setting Up Authentication>> we'll learn more about authentication and see how users can be associated with the 
 configured roles.

+The privileges can also directly be set on an index expression. This notation is useful if no other security features
+are configured.
+
+.Shorter privileges notation
+[source,yaml]
+---------------------------------------------------
+# Only GET read action on index named events_index
+get_user:
+  indices:
+    'events_index': 'indices:data/read/get'
+---------------------------------------------------
+
 include::granting-alias-privileges.asciidoc[]

 include::mapping-roles.asciidoc[]
--- a/shield/docs/public/release-notes.asciidoc
+++ b/shield/docs/public/release-notes.asciidoc
@ -34,6 +34,7 @@ The default role definitions in the `roles.yml` file may need to be changed to e
 applications such as Marvel and Kibana. Any role changes will be found in `roles.yml.new` after upgrading to the new
 version of Shield. We recommend copying the changes listed below to your `roles.yml` file.

+* added[2.0.0-beta2] The permission on all the roles are updated to the verbose format to make it easer to enable field level and document level security.
 * added[1.1.0] `kibana4_server` role added that defines the minimum set of permissions necessary for the Kibana 4 server.
 * added[1.0.1] `kibana4` role updated to work with new features in Kibana 4 RC1