133 lines
5.8 KiB
Plaintext
133 lines
5.8 KiB
Plaintext
[[authorization]]
|
|
== Authorization
|
|
|
|
Shield introduces the concept of _action authorization_ to Elasticsearch. Action authorization restricts the actions
|
|
users can execute on the cluster. Shield implements authorization as Role Based Access Control (RBAC), where all
|
|
actions are restricted by default. Users are associated with roles that define a set of actions that are allowed
|
|
for those users.
|
|
|
|
[[roles]]
|
|
[float]
|
|
=== Roles, Permissions and Privileges
|
|
|
|
Privileges are actions or a set of actions that users may execute in Elasticsearch. For example, the ability to run a
|
|
query is a privilege.
|
|
|
|
A permission is a set of privileges associated with one or more secured objects. For example, a permission could allow
|
|
querying or reading all documents of index `i1`. There are two types of secured objects in Elasticsearch -
|
|
cluster and indices. Cluster permissions grant access to cluster-wide administrative and monitoring actions. Index
|
|
permissions grant data access, including administrative and monitoring actions on specific indices in the cluster.
|
|
|
|
A role is a named set of permissions. For example, you could define a role as a logging administrator. The logging
|
|
administrator is allowed to take all actions on indices named `logs-*`.
|
|
|
|
As an administrator, you will need to define the roles that you want to use, then assign users to the roles.
|
|
|
|
[[roles-file]]
|
|
[float]
|
|
==== The Role Definition File `roles.yml`
|
|
|
|
Roles are defined in the role definition file `roles.yml` located under Shield's <<shield-config,config>> directory.
|
|
This is a YAML file where each entry defines the unique role name and the cluster and indices permissions associated
|
|
with it.
|
|
|
|
[IMPORTANT]
|
|
==============================
|
|
The `roles.yml` file is managed locally by the node and is not managed globally by the cluster. This means that
|
|
with a typical multi-node cluster, the exact same changes need to be applied on each and every node in the cluster.
|
|
|
|
A safer approach would be to apply the change on one of the nodes and have the `roles.yml` distributed/copied to
|
|
all other nodes in the cluster (either manually or using a configuration management system such as Puppet or Chef).
|
|
==============================
|
|
|
|
The following snippet shows an example configuration:
|
|
|
|
[source,yaml]
|
|
-----------------------------------
|
|
# All cluster rights
|
|
# All operations on all indices
|
|
admin:
|
|
cluster: all
|
|
indices:
|
|
'*': all
|
|
|
|
# Monitoring cluster privileges
|
|
# All operations on all indices
|
|
power_user:
|
|
cluster: monitor
|
|
indices:
|
|
'*': all
|
|
|
|
# Only read operations on indices
|
|
user:
|
|
indices:
|
|
'*': read
|
|
|
|
# Only read operations on indices named events_*
|
|
events_user:
|
|
indices:
|
|
'events_*': read
|
|
-----------------------------------
|
|
|
|
[[valid-role-name]]
|
|
NOTE: A valid role name must be at least 1 character and no longer than 30 characters. It must begin with a letter
|
|
(`a-z`) or an underscore (`_`). Subsequent characters can be letters, underscores (`_`), digits (`0-9`) or any
|
|
of the following symbols `@`, `-`, `.` or `$`
|
|
|
|
|
|
The above example defines these roles:
|
|
|
|
|=======================
|
|
| `admin` | Has full access (all privileges) on the cluster and full access on all indices in the cluster.
|
|
| `power_user` | Has monitoring-only access on the cluster, enabling the user to request cluster metrics, information,
|
|
and settings, without the ability to update settings. This user also has full access on all indices in
|
|
the cluster.
|
|
| `user` | Cannot update or monitor the cluster. Has read-only access to all indices in the cluster.
|
|
| `events_user` | Has read-only access to all indices with the `events_` prefix.
|
|
|=======================
|
|
|
|
See the complete list of available <<privileges-list, cluster and indices privileges>>.
|
|
|
|
[float]
|
|
==== Action Level Access Control
|
|
|
|
The Shield security plugin enables access to specific actions in Elasticsearch. Access control using specific actions
|
|
provides a finer level of granularity than roles based on named privileges.
|
|
|
|
The role in the following example allows access to document `GET` actions for a specific index and nothing else:
|
|
|
|
.Example Role Using Action-level Access Control
|
|
[source,yaml]
|
|
---------------------------------------------------
|
|
# Only GET read action on index named events_index
|
|
get_user:
|
|
indices:
|
|
'events_index': 'indices:data/read/get'
|
|
---------------------------------------------------
|
|
|
|
See the complete list of available <<ref-actions-list, cluster and indices actions>>.
|
|
|
|
TIP: When specifying index names, you can use indices and aliases with their full names or regular expressions that
|
|
refer to multiple indices.
|
|
|
|
* Wildcard (default) - simple wildcard matching where `*` is a placeholder for zero or more characters, `?` is a
|
|
placeholder for a single character and `\` may be used as an escape character.
|
|
|
|
* Regular Expressions - A more powerful syntax for matching more complex patterns. This regular expression is based on
|
|
Lucene's regexp automaton syntax. To enable this syntax, it must be wrapped within a pair of forward slashes (`/`).
|
|
Any pattern starting with `/` and not ending with `/` is considered to be malformed.
|
|
|
|
.Example Regular Expressions
|
|
[source,yaml]
|
|
------------------------------------------------------------------------------------
|
|
"foo-bar": all # match the literal `foo-bar`
|
|
"foo-*": all # match anything beginning with "foo-"
|
|
"logstash-201?-*": all # ? matches any one character
|
|
"/.*-201[0-9]-.*/": all # use a regex to match anything containing 2010-2019
|
|
"/foo": all # syntax error - missing final /
|
|
------------------------------------------------------------------------------------
|
|
|
|
TIP: Once the roles are defined, users can then be associated with any number of these roles. In the
|
|
<<authentication,next section>> we'll learn more about authentication and see how users can be associated with the
|
|
configured roles.
|