OpenSearch/docs/en/security/reference/privileges.asciidoc

134 lines
4.3 KiB
Plaintext

[[security-privileges]]
=== Security Privileges
This section lists the privileges that you can assign to a role.
[[privileges-list-cluster]]
==== Cluster Privileges
[horizontal]
`all`::
All cluster administration operations, like snapshotting, node shutdown/restart,
settings update, rerouting, or managing users and roles.
`monitor`::
All cluster read-only operations, like cluster health & state, hot threads, node
info, node & cluster stats, snapshot/restore status, pending cluster tasks.
`monitor_ml`::
All read only {ml} operations, such as getting information about {dfeeds}, jobs,
model snapshots, or results.
`monitor_watcher`::
All read only watcher operations, such as getting a watch and watcher stats.
`manage`::
Builds on `monitor` and adds cluster operations that change values in the cluster.
This includes snapshotting, updating settings, and rerouting. This privilege does
not include the ability to manage security.
`manage_index_templates`::
All operations on index templates.
`manage_ml`::
All {ml} operations, such as creating and deleting {dfeeds}, jobs, and model
snapshots.
+
--
NOTE: {dfeeds-cap} that were created prior to version 6.2 or created when {security}
was disabled run as a system user with elevated privileges, including permission
to read all indices. Newer {dfeeds} run with the security roles of the user who created
or updated them.
--
`manage_pipeline`::
All operations on ingest pipelines.
`manage_security`::
All security related operations such as CRUD operations on users and roles and
cache clearing.
`manage_watcher`::
All watcher operations, such as putting watches, executing, activate or acknowledging.
+
--
NOTE: Watches that were created prior to version 6.1 or created when {security}
was disabled run as a system user with elevated privileges, including permission
to read and write all indices. Newer watches run with the security roles of the user
who created or updated them.
--
`transport_client`::
All privileges necessary for a transport client to connect. Required by the remote
cluster to enable <<cross-cluster-configuring,Cross Cluster Search>>.
[[privileges-list-indices]]
==== Indices Privileges
[horizontal]
`all`::
Any action on an index
`monitor`::
All actions that are required for monitoring (recovery, segments info, index stats
& status).
`manage`::
All `monitor` privileges plus index administration (aliases, analyze, cache clear,
close, delete, exists, flush, mapping, open, force merge, refresh, settings,
search shards, templates, validate).
`view_index_metadata`::
Read-only access to index metadata (aliases, aliases exists, get index, exists, field mappings,
mappings, search shards, type exists, validate, warmers, settings). This
privilege is primarily available for use by {kib} users.
`read`::
Read only access to actions (count, explain, get, mget, get indexed scripts,
more like this, multi percolate/search/termvector, percolate, scroll,
clear_scroll, search, suggest, tv).
`read_cross_cluster`::
Read only access to the search action from a <<cross-cluster-configuring,remote cluster>>.
`index`::
Privilege to index and update documents. Also grants access to the update
mapping action.
`create`::
Privilege to index documents. Also grants access to the update mapping
action.
+
--
NOTE: This privilege does not restrict the index operation to the creation
of documents but instead restricts API use to the index API. The index API allows a user
to overwrite a previously indexed document.
--
`delete`::
Privilege to delete documents.
`write`::
Privilege to perform all write operations to documents, which includes the
permission to index, update, and delete documents as well as performing bulk
operations. Also grants access to the update mapping action.
`delete_index`::
Privilege to delete an index.
`create_index`::
Privilege to create an index. A create index request may contain aliases to be
added to the index once created. In that case the request requires the `manage`
privilege as well, on both the index and the aliases names.
==== Run As Privilege
The `run_as` permission enables an authenticated user to submit requests on
behalf of another user. The value can be a user name or a comma-separated list
of user names. (You can also specify users as an array of strings or a YAML
sequence.) For more information, see
<<run-as-privilege, Submitting Requests on Behalf of Other Users>>.