Shield provides role-based access control (RBAC) for Elasticsearch. RBAC enables you to control what actions users can perform on an Elasticsearch cluster. By default, all actions are restricted. The roles assigned to a user specify the actions that the user can perform.
A role is a named set of privileges. The privileges specified within a role control what Elasticsearch actions the role grants access to:
- Cluster privileges grant access to cluster-wide administrative and monitoring actions.
- Index privileges grant access to specific indices in the cluster, including data access and administrative and monitoring actions.
- Run As privilege enables an authenticated user to submit requests on behalf of another user. For more information, see Submitting Requests for Other Users.
For example, you could define a logging administrator role that allows logging admins
to perform all actions on indices whose names match the pattern
Defining roles and assigning roles to users requires the
See Privileges for the complete list of cluster and indices privileges you can
assign in a role.
Users can be associated with any number of roles. For more information about assigning roles to users, see Setting Up Authentication.