To use this API, you must have one of the following privileges:
- The
manage_securitycluster privilege (or a greater privilege such asall). - The "Manage Application Privileges" global privilege for the application being referenced in the request.
Application names are formed from a prefix, with an optional suffix that conform to the following rules:
- The prefix must begin with a lowercase ASCII letter.
- The prefix must contain only ASCII letters or digits.
- The prefix must be at least 3 characters long.
- If the suffix exists, it must begin with either a dash
-or_. - The suffix cannot contain any of the following characters:
\,/,*,?,",<,>,|,,,*. - No part of the name can contain whitespace.
Privilege names must begin with a lowercase ASCII letter and must contain only ASCII letters and digits along with the characters _, -, and ..
Action names can contain any number of printable ASCII characters and must contain at least one of the following characters: /, *, :.
##Required authorization
- Cluster privileges:
manage_security
Query parameters
-
If
true(the default) then refresh the affected shards to make this operation visible to search, ifwait_forthen wait for a refresh to make this operation visible to search, iffalsethen do nothing with refreshes.Values are
true,false, orwait_for.
PUT
/_security/privilege
Console
PUT /_security/privilege
{
"myapp": {
"read": {
"actions": [ <1>
"data:read/*" , <2>
"action:login" ],
"metadata": { <3>
"description": "Read access to myapp"
}
}
}
}curl \
--request PUT 'http://api.example.com/_security/privilege' \
--header "Content-Type: application/json" \
--data '"{\n \"myapp\": {\n \"read\": {\n \"actions\": [ \u003c1\u003e\n \"data:read/*\" , \u003c2\u003e\n \"action:login\" ],\n \"metadata\": { \u003c3\u003e\n \"description\": \"Read access to myapp\"\n }\n }\n }\n}"'
Request examples
Security put privileges example1
An example body for a `PUT /_security/privilege` request.
{
"myapp": {
"read": {
"actions": [ <1>
"data:read/*" , <2>
"action:login" ],
"metadata": { <3>
"description": "Read access to myapp"
}
}
}
}
Run `PUT /_security/privilege` to add a single application privilege. The wildcard (`*`) means that this privilege grants access to all actions that start with `data:read/`. Elasticsearch does not assign any meaning to these actions. However, if the request includes an application privilege such as `data:read/users` or `data:read/settings`, the has privileges API respects the use of a wildcard and returns `true`.
{
"myapp": {
"read": {
"actions": [
"data:read/*" ,
"action:login" ],
"metadata": {
"description": "Read access to myapp"
}
}
}
}
Run `PUT /_security/privilege` to add multiple application privileges.
{
"app01": {
"read": {
"actions": [ "action:login", "data:read/*" ]
},
"write": {
"actions": [ "action:login", "data:write/*" ]
}
},
"app02": {
"all": {
"actions": [ "*" ]
}
}
}
Response examples (200)
Security put privileges response example1
A successful response from `PUT /_security/privilege`.
{
"myapp": {
"read": {
"created": true
}
}
}
A successful response from `PUT /_security/privilege`. The `created` property indicates whether the privileges have been created or updated.
{
"app02": {
"all": {
"created": true
}
},
"app01": {
"read": {
"created": true
},
"write": {
"created": true
}
}
}