146 lines
4.1 KiB
Plaintext
146 lines
4.1 KiB
Plaintext
[role="xpack"]
|
|
[[security-api-roles]]
|
|
=== Role Management APIs
|
|
|
|
The Roles API enables you to add, remove, and retrieve roles in the `native`
|
|
realm. To use this API, you must have at least the `manage_security` cluster
|
|
privilege.
|
|
|
|
NOTE: The Roles API is now the preferred way to manage roles.
|
|
|
|
[[security-api-put-role]]
|
|
To add a role, submit a PUT or POST request to the `/_xpack/security/role/<rolename>`
|
|
endpoint:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
POST /_xpack/security/role/my_admin_role
|
|
{
|
|
"cluster": ["all"],
|
|
"indices": [
|
|
{
|
|
"names": [ "index1", "index2" ],
|
|
"privileges": ["all"],
|
|
"field_security" : { // optional
|
|
"grant" : [ "title", "body" ]
|
|
},
|
|
"query": "{\"match\": {\"title\": \"foo\"}}" // optional
|
|
}
|
|
],
|
|
"run_as": [ "other_user" ], // optional
|
|
"metadata" : { // optional
|
|
"version" : 1
|
|
}
|
|
}
|
|
--------------------------------------------------
|
|
// CONSOLE
|
|
|
|
The `name`, `cluster`, and `indices` fields are required at the top-level.
|
|
Within the `indices` array, the `names` and `privileges` fields are required.
|
|
Within the `metadata` object, keys beginning with `_` are reserved for system
|
|
usage.
|
|
|
|
The `field_security` and `query` fields are both optional. They are used to
|
|
implement field and document level security. For more information, see
|
|
{xpack-ref}/field-and-document-access-control.html[Setting Up Field and Document Level Security].
|
|
|
|
A successful call returns a JSON structure that shows whether the role has been
|
|
created or updated.
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"role": {
|
|
"created": true <1>
|
|
}
|
|
}
|
|
--------------------------------------------------
|
|
// TESTRESPONSE
|
|
<1> When an existing role is updated, `created` is set to false.
|
|
|
|
[[security-api-get-role]]
|
|
To retrieve a role from the `native` Security realm, issue a GET request to the
|
|
`/_xpack/security/role/<rolename>` endpoint:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
GET /_xpack/security/role/my_admin_role
|
|
--------------------------------------------------
|
|
// CONSOLE
|
|
// TEST[continued]
|
|
|
|
A successful call returns an array of roles with the JSON representation of the
|
|
role. If the role is not defined in the `native` realm, the request 404s.
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"my_admin_role": {
|
|
"cluster" : [ "all" ],
|
|
"indices" : [ {
|
|
"names" : [ "index1", "index2" ],
|
|
"privileges" : [ "all" ],
|
|
"field_security" : {
|
|
"grant" : [ "title", "body" ]
|
|
},
|
|
"query" : "{\"match\": {\"title\": \"foo\"}}"
|
|
} ],
|
|
"run_as" : [ "other_user" ],
|
|
"metadata" : {
|
|
"version" : 1
|
|
},
|
|
"transient_metadata": {
|
|
"enabled": true
|
|
}
|
|
}
|
|
}
|
|
--------------------------------------------------
|
|
// TESTRESPONSE
|
|
|
|
You can specify multiple roles as a comma-separated list. To retrieve all roles,
|
|
omit the role name.
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
# Retrieve roles "r1", "r2", and "my_admin_role"
|
|
GET /_xpack/security/role/r1,r2,my_admin_role
|
|
|
|
# Retrieve all roles
|
|
GET /_xpack/security/role
|
|
--------------------------------------------------
|
|
// CONSOLE
|
|
// TEST[continued]
|
|
|
|
[[security-api-delete-role]]
|
|
To delete a role, submit a DELETE request to the `/_xpack/security/role/<rolename>`
|
|
endpoint:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
DELETE /_xpack/security/role/my_admin_role
|
|
--------------------------------------------------
|
|
// CONSOLE
|
|
// TEST[continued]
|
|
|
|
If the role is successfully deleted, the request returns `{"found": true}`.
|
|
Otherwise, `found` is set to false.
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"found" : true
|
|
}
|
|
--------------------------------------------------
|
|
// TESTRESPONSE
|
|
|
|
[[security-api-clear-role-cache]]
|
|
The Clear Roles Cache API evicts roles from the native role cache. To clear the
|
|
cache for a role, submit a POST request `/_xpack/security/role/<rolename>/_clear_cache`
|
|
endpoint:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
POST /_xpack/security/role/my_admin_role/_clear_cache
|
|
--------------------------------------------------
|
|
// CONSOLE
|