Granting Privileges for Specific Actions

The Shield security plugin enables access to specific actions in Elasticsearch. Access control using specific actions provides a finer level of granularity than roles based on named privileges.

The role in the following example allows access to document GET actions for a specific index and nothing else:

Example Role Using Action-level Access Control.

# Only GET read action on index named events_index
get_user:
  indices:
    'events_index': 'indices:data/read/get'

See the complete list of available cluster and indices actions.

When specifying index names, you can use indices and aliases with their full names or regular expressions that refer to multiple indices.

  • Wildcard (default) - simple wildcard matching where * is a placeholder for zero or more characters, ? is a placeholder for a single character and \ may be used as an escape character.
  • Regular Expressions - A more powerful syntax for matching more complex patterns. This regular expression is based on Lucene’s regexp automaton syntax. To enable this syntax, it must be wrapped within a pair of forward slashes (/). Any pattern starting with / and not ending with / is considered to be malformed.

Example Regular Expressions.

"foo-bar":          all     # match the literal `foo-bar`
"foo-*":            all     # match anything beginning with "foo-"
"logstash-201?-*":  all     # ? matches any one character
"/.*-201[0-9]-.*/": all     # use a regex to match anything containing 2010-2019
"/foo":             all     # syntax error - missing final /

Once the roles are defined, users can then be associated with any number of these roles. In Setting Up Authentication we’ll learn more about authentication and see how users can be associated with the configured roles.