OpenSearch/x-pack/docs/en/rest-api/security/put-app-privileges.asciidoc

164 lines
4.6 KiB
Plaintext

[role="xpack"]
[[security-api-put-privileges]]
=== Create or update application privileges API
Adds or updates
{stack-ov}/security-privileges.html#application-privileges[application privileges].
==== Request
`POST /_security/privilege` +
`PUT /_security/privilege`
==== Description
This API creates or updates privileges. To remove privileges, use the
<<security-api-delete-privilege,delete application privilege API>>.
For more information, see
{stack-ov}/defining-roles.html#roles-application-priv[Application privileges].
To check a user's application privileges, use the
<<security-api-has-privileges,has privileges API>>.
==== Request Body
The body is a JSON object where the names of the fields are the application
names and the value of each field is an object. The fields in this inner
object are the names of the privileges and each value is a JSON object that
includes the following fields:
`actions`:: (array-of-string) A list of action names that are granted by this
privilege. This field must exist and cannot be an empty array.
`metadata`:: (object) Optional meta-data. Within the `metadata` object, keys
that begin with `_` are reserved for system usage.
[[security-api-app-privileges-validation]]
==== Validation
Application Names::
Application names are formed from a _prefix_, with an optional _suffix_ that
conform to the following rules:
* The prefix must begin with a lowercase ASCII letter
* The prefix must contain only ASCII letters or digits
* The prefix must be at least 3 characters long
* If the suffix exists, it must begin with either `-` or `_`
* The suffix cannot contain any of the following characters:
`\\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, `,`, `*`
* No part of the name can contain whitespace.
Privilege Names::
Privilege names must begin with a lowercase ASCII letter and must contain
only ASCII letters and digits along with the characters `_`, `-` and `.`
Action Names::
Action names can contain any number of printable ASCII characters and must
contain at least one of the following characters: `/` `*`, `:`
==== Authorization
To use this API, you must have either:
- the `manage_security` cluster privilege (or a greater privilege such as `all`); _or_
- the _"Manage Application Privileges"_ global privilege for the application being referenced
in the request
==== Examples
To add a single privilege, submit a PUT or POST request to the
`/_security/privilege/<application>/<privilege>` endpoint. For example:
[source,js]
--------------------------------------------------
PUT /_security/privilege
{
"myapp": {
"read": {
"actions": [ <1>
"data:read/*" , <2>
"action:login" ],
"metadata": { <3>
"description": "Read access to myapp"
}
}
}
}
--------------------------------------------------
// CONSOLE
<1> These strings have significance within the "myapp" application. {es} does not
assign any meaning to them.
<2> The use of a wildcard here (`*`) means that this privilege grants access to
all actions that start with `data:read/`. {es} does not assign any meaning
to these actions. However, if the request includes an application privilege
such as `data:read/users` or `data:read/settings`, the
<<security-api-has-privileges,has privileges API>> respects the use of a
wildcard and returns `true`.
<3> The metadata object is optional.
A successful call returns a JSON structure that shows whether the privilege has
been created or updated.
[source,js]
--------------------------------------------------
{
"myapp": {
"read": {
"created": true <1>
}
}
}
--------------------------------------------------
// TESTRESPONSE
<1> When an existing privilege is updated, `created` is set to false.
To add multiple privileges, submit a POST request to the
`/_security/privilege/` endpoint. For example:
[source,js]
--------------------------------------------------
PUT /_security/privilege
{
"app01": {
"read": {
"actions": [ "action:login", "data:read/*" ]
},
"write": {
"actions": [ "action:login", "data:write/*" ]
}
},
"app02": {
"all": {
"actions": [ "*" ]
}
}
}
--------------------------------------------------
// CONSOLE
A successful call returns a JSON structure that shows whether the privileges
have been created or updated.
[source,js]
--------------------------------------------------
{
"app02": {
"all": {
"created": true
}
},
"app01": {
"read": {
"created": true
},
"write": {
"created": true
}
}
}
--------------------------------------------------
// TESTRESPONSE