210 lines
5.5 KiB
Plaintext
210 lines
5.5 KiB
Plaintext
[role="xpack"]
|
|
[[securing-aliases]]
|
|
=== Granting privileges for data streams and index aliases
|
|
|
|
{es} {security-features} allow you to secure operations executed against
|
|
<<data-streams,data streams>> and <<indices-aliases,index aliases>>.
|
|
|
|
[[data-stream-privileges]]
|
|
==== Data stream privileges
|
|
|
|
A data stream consists of one or more backing indices, which store the stream's
|
|
data. Most requests sent to a data stream are routed to one or more of these
|
|
backing indices.
|
|
|
|
Similar to an index, you can use <<privileges-list-indices,indices privileges>>
|
|
to control access to a data stream. Any role or user granted privileges to a
|
|
data stream are automatically granted the same privileges to its backing
|
|
indices.
|
|
|
|
.*Example*
|
|
[%collapsible]
|
|
====
|
|
`logs` is a data stream that consists of two backing indices: `.ds-logs-000001`
|
|
and `.ds-logs-000002`.
|
|
|
|
A user is granted the `read` privilege to the `logs` data stream.
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"names" : [ "logs" ],
|
|
"privileges" : [ "read" ]
|
|
}
|
|
--------------------------------------------------
|
|
// NOTCONSOLE
|
|
|
|
Because the user is automatically granted the same privileges to the stream's
|
|
backing indices, the user can retrieve a document directly from `.ds-logs-000002`:
|
|
|
|
////
|
|
[source,console]
|
|
----
|
|
PUT /_index_template/logs_data_stream
|
|
{
|
|
"index_patterns": [ "logs*" ],
|
|
"data_stream": {
|
|
"timestamp_field": "@timestamp"
|
|
},
|
|
"template": {
|
|
"mappings": {
|
|
"properties": {
|
|
"@timestamp": {
|
|
"type": "date"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
PUT /_data_stream/logs
|
|
|
|
POST /logs/_rollover/
|
|
|
|
PUT /logs/_create/2?refresh=wait_for
|
|
{
|
|
"@timestamp": "2020-12-07T11:06:07.000Z"
|
|
}
|
|
----
|
|
////
|
|
|
|
[source,console]
|
|
----
|
|
GET /.ds-logs-000002/_doc/2
|
|
----
|
|
// TEST[continued]
|
|
|
|
Later the `logs` data stream <<manually-roll-over-a-data-stream,rolls over>>.
|
|
This creates a new backing index: `.ds-logs-000003`. Because the user still has
|
|
the `read` privilege for the `logs` data stream, the user can retrieve documents
|
|
directly from `.ds-logs-000003`:
|
|
|
|
////
|
|
[source,console]
|
|
----
|
|
POST /logs/_rollover/
|
|
|
|
PUT /logs/_create/2?refresh=wait_for
|
|
{
|
|
"@timestamp": "2020-12-07T11:06:07.000Z"
|
|
}
|
|
----
|
|
// TEST[continued]
|
|
////
|
|
|
|
[source,console]
|
|
----
|
|
GET /.ds-logs-000003/_doc/2
|
|
----
|
|
// TEST[continued]
|
|
|
|
////
|
|
[source,console]
|
|
----
|
|
DELETE /_data_stream/*
|
|
|
|
DELETE /_index_template/*
|
|
----
|
|
// TEST[continued]
|
|
////
|
|
====
|
|
|
|
[[index-alias-privileges]]
|
|
==== Index alias privileges
|
|
|
|
An index alias points to one or more indices,
|
|
holds metadata and potentially a filter. The {es} {security-features} treat
|
|
aliases and indices
|
|
the same. Privileges for indices actions are granted on specific indices or
|
|
aliases. In order for an indices action to be authorized, the user that executes
|
|
it needs to have permissions for that action on all the specific indices or
|
|
aliases that the request relates to.
|
|
|
|
Let's look at an example. Assuming we have an index called `2015`, an alias that
|
|
points to it called `current_year`, and a user with the following role:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"names" : [ "2015" ],
|
|
"privileges" : [ "read" ]
|
|
}
|
|
--------------------------------------------------
|
|
// NOTCONSOLE
|
|
|
|
The user attempts to retrieve a document from `current_year`:
|
|
|
|
[source,console]
|
|
-------------------------------------------------------------------------------
|
|
GET /current_year/event/1
|
|
-------------------------------------------------------------------------------
|
|
// TEST[s/^/PUT 2015\n{"aliases": {"current_year": {}}}\nPUT 2015\/event\/1\n{}\n/]
|
|
|
|
The above request gets rejected, although the user has `read` privilege on the
|
|
concrete index that the `current_year` alias points to. The correct permission
|
|
would be as follows:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"names" : [ "current_year" ],
|
|
"privileges" : [ "read" ]
|
|
}
|
|
--------------------------------------------------
|
|
// NOTCONSOLE
|
|
|
|
[float]
|
|
==== Managing aliases
|
|
|
|
Unlike creating indices, which requires the `create_index` privilege, adding,
|
|
removing and retrieving aliases requires the `manage` permission. Aliases can be
|
|
added to an index directly as part of the index creation:
|
|
|
|
[source,console]
|
|
-------------------------------------------------------------------------------
|
|
PUT /2015
|
|
{
|
|
"aliases" : {
|
|
"current_year" : {}
|
|
}
|
|
}
|
|
-------------------------------------------------------------------------------
|
|
|
|
or via the dedicated aliases api if the index already exists:
|
|
|
|
[source,console]
|
|
-------------------------------------------------------------------------------
|
|
POST /_aliases
|
|
{
|
|
"actions" : [
|
|
{ "add" : { "index" : "2015", "alias" : "current_year" } }
|
|
]
|
|
}
|
|
-------------------------------------------------------------------------------
|
|
// TEST[s/^/PUT 2015\n/]
|
|
|
|
The above requests both require the `manage` privilege on the alias name as well
|
|
as the targeted index, as follows:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"names" : [ "20*", "current_year" ],
|
|
"privileges" : [ "manage" ]
|
|
}
|
|
--------------------------------------------------
|
|
// NOTCONSOLE
|
|
|
|
The index aliases api also allows also to delete aliases from existing indices.
|
|
The privileges required for such a request are the same as above. Both index and
|
|
alias need the `manage` permission.
|
|
|
|
|
|
[float]
|
|
==== Filtered aliases
|
|
|
|
Aliases can hold a filter, which allows to select a subset of documents that can
|
|
be accessed out of all the documents that the physical index contains. These
|
|
filters are not always applied and should not be used in place of
|
|
<<document-level-security, document level security>>.
|