OpenSearch/elasticsearch/qa/shield-reindex-tests/roles.yml

78 lines
1.6 KiB
YAML

admin:
cluster:
- all
indices:
- names: '*'
privileges: [ all ]
run_as:
- '*'
# Search and write on both source and destination indices. It should work if you could just search on the source and
# write to the destination but that isn't how shield works.
minimal:
indices:
- names: source
privileges:
- read
- write
- create_index
- indices:admin/refresh
- names: dest
privileges:
- read
- write
- create_index
- indices:admin/refresh
# Read only operations on indices
readonly:
indices:
- names: '*'
privileges: [ read ]
# Write operations on destination index, none on source index
dest_only:
indices:
- names: dest
privileges: [ write ]
# Search and write on both source and destination indices with document level security filtering out some docs.
can_not_see_hidden_docs:
indices:
- names: source
privileges:
- read
- write
- create_index
- indices:admin/refresh
query:
bool:
must_not:
match:
hidden: true
- names: dest
privileges:
- read
- write
- create_index
- indices:admin/refresh
# Search and write on both source and destination indices with field level security.
can_not_see_hidden_fields:
indices:
- names: source
privileges:
- read
- write
- create_index
- indices:admin/refresh
fields:
- foo
- bar
- names: dest
privileges:
- read
- write
- create_index
- indices:admin/refresh