Granting Privileges for Index Aliases

You grant access to index aliases the same way you grant access to particular indexes. To perform an action against an index alias, the user must have privileges for that alias. Access to aliased indices does not automatically confer access to the alias.

Aliases can have a filter that specifies a subset of the documents in the physical index. These filters are not always applied and should not be used in place of document level security.

For example, if you have index called 2016 and an alias that points to it called current_year, to give a user permission to use the alias you could assign the following role:

{
   "current_year_read": {
      "cluster":[],
      "indices":[{
         "names":["current_year"],
         "privileges":["read"]}],
      "run_as":[]
   }
}

Granting read access to the 2016 index does not enable a user to use the current_year alias.

Managing Aliases

Performing CRUD operations on an index alias requires the manage privilege on both the targeted indices and the alias. Adding an alias when creating an index also requires the create_index privilege.

For example, the following role would enable a user to create an alias called current_year for the index named 2016 through the dedicated aliases API:

{
   "admin": {
      "cluster":[],
      "indices":[{
         "names":["2016", "current_year"],
         "privileges":["manage"]}],
      "run_as":[]
   }
}