In order to use the operator privileges feature, it must be enabled explicitly
on each node in the cluster. Add the following setting in each
If the node is already running before you make this change, you must restart the node for the feature to take effect.
The feature needs to be either enabled or disabled consistently across all nodes in a cluster. Otherwise, you can get inconsistent behaviour depending on which node first receives a request and which node executes it.
When operator privileges are enabled on a cluster,
specific functionalities are restricted and can
be executed only by users who have been explicitly designated as operator users.
If a regular user attempts to execute these functionalities (even if they have
superuser role), a security exception occurs.
Operator users are just normal Elasticsearch users with special rights to perform
operator-only functionalities. They are specified in an
file, which is located in the config directory (as defined by the
environment variable). Similar to
other security config files, the
operator_users.yml file is local to a node and does not apply globally to the
cluster. This means, in most cases, the same file should be distributed or
copied to all nodes in a cluster.
operator_users.yml file defines a set of criteria that an authenticating
user must match to be considered as an operator user. The following snippet
shows an example of such a file:
A fixed value of
A list of user names allowed for operator users. This field is mandatory.
The type of the authenticating realm allowed for operator users. The default
and only acceptable value is
The authentication type allowed for operator users. The default and only
acceptable value is
You must specify at least the
usernames field. If no other fields are
specified, their default values are used. All fields must be matched for a user
to be qualified as an operator user. You can also specify multiple groups of
criteria. This is currently not very useful since this feature does not yet
support other realms or authentication types.
There are also two implicit rules that affect which users are operator users:
After a user is designated as an operator user, they are still
subject to regular RBAC user authorization checks. That is to
say, in addition to specifying that a user is an operator user, you must also
grant them the necessary Elasticsearch roles to perform their tasks. Consequently, it is
entirely possible that an operator user can encounter an "access denied" error
and fail to perform certain actions due to RBAC check failures. In short, an
operator user is not automatically a