Defining Roles

A role is defined by the following JSON structure:

{
  "name": "...", 
  "run_as": [ ... ] 
  "cluster": [ ... ], 
  "indices": [ ... ] 
}

The role name, also used as the role ID.

A list of usernames the owners of this role can impersonate.

A list of cluster privileges. These privileges define the cluster level actions users with this role are able to execute. This field is optional (missing cluster privileges effectively mean no cluster level permissions).

A list of indices permissions entries. This field is optional (missing indices privileges effectively mean no index level permissions).

Note

A valid role name must be at least 1 character and no longer than 30 characters. It must begin with a letter (a-z) or an underscore (_). Subsequent characters can be letters, underscores (_), digits (0-9) or any of the following symbols @, -, . or $

The following describes the structure of an indices permissions entry:

{
  "names": [ ... ], 
  "privileges": [ ... ], 
  "field_security" : { ... }, 
  "query": "..." 
}

A list of indices (or index name patterns) to which the permissions in this entry apply.

The index level privileges the owners of the role have on the associated indices (those indices that are specified in the name field)

Specification for document fields the owners of the role have read access to. See Setting Up Field and Document Level Security for details.

A search query that defines the documents the owners of the role have read access to. A document within the associated indices must match this query in order for it to be accessible by the owners of the role.

Tip

When specifying index names, you can use indices and aliases with their full names or regular expressions that refer to multiple indices.

  • Wildcard (default) - simple wildcard matching where * is a placeholder for zero or more characters, ? is a placeholder for a single character and \ may be used as an escape character.
  • Regular Expressions - A more powerful syntax for matching more complex patterns. This regular expression is based on Lucene’s regexp automaton syntax. To enable this syntax, it must be wrapped within a pair of forward slashes (/). Any pattern starting with / and not ending with / is considered to be malformed.

Example Regular Expressions. 

"foo-bar":               # match the literal `foo-bar`
"foo-*":                 # match anything beginning with "foo-"
"logstash-201?-*":       # ? matches any one character
"/.*-201[0-9]-.*/":      # use a regex to match anything containing 2010-2019
"/foo":                  # syntax error - missing final /

The following snippet shows an example definition of a clicks_admin role:

{
  "run_as": [ "clicks_watcher_1" ]
  "cluster": [ "monitor" ],
  "indices": [
    {
      "names": [ "events-*" ],
      "privileges": [ "read" ],
      "field_security" : {
        "grant" : [ "category", "@timestamp", "message" ]
      },
      "query": "{\"match\": {\"category\": \"click\"}}"
    }
  ]
}

Based on the above definition, users owning the clicks_admin role can:

  • Impersonate the clicks_watcher_1 user and execute requests on its behalf.
  • Monitor the Elasticsearch cluster
  • Read data from all indices prefixed with events-
  • Within these indices, only read the events of the click category
  • Within these document, only read the category, @timestamp and message fields.
Tip

For a complete list of available cluster and indices privileges

There are two available mechanisms to define roles: using the Role Management APIs or in local files on the Elasticsearch nodes.

Role Management UI

If you are a Kibana user, make sure to install X-Pack in Kibana. This enables you to easily manage users and roles from within Kibana. To manage roles, log in to Kibana and go to Management / Elasticsearch / Roles.

Role Management API

The Role Management APIs enable you to add, update, remove and retrieve roles dynamically. When you use the APIs to manage roles in the native realm, the roles are stored in an internal Elasticsearch index.

Adding a Role

To add a role, submit a PUT or POST request to the /_xpack/security/role/<name> endpoint.

POST /_xpack/security/role/clicks_admin
{
  "run_as": [ "clicks_watcher_1" ],
  "cluster": [ "monitor" ],
  "indices": [
    {
      "names": [ "events-*" ],
      "privileges": [ "read" ],
      "field_security" : {
        "grant" : [ "category", "@timestamp", "message" ]
      },
      "query": "{\"match\": {\"category\": \"click\"}}"
    }
  ]
}
Note

This API can also be used for updating role definitions.

List Role

To retrieve all roles, submit a GET request to the /_xpack/security/role endpoint:

GET /_xpack/security/role

To retrieve particular roles, specify the roles as a comma-separated list:

GET /_xpack/security/role/clicks_admin

Response:

{
  "clicks_admin": {
    "run_as": [ "clicks_watcher_1" ],
    "cluster": [ "monitor" ],
    "indices": [
      {
        "names": [ "events-*" ],
        "privileges": [ "read" ],
        "field_security" : {
          "grant" : [ "category", "@timestamp", "message" ]
        },
        "query": "{\"match\": {\"category\": \"click\"}}"
      }
    ],
    "metadata": { },
    "transient_metadata": {
      "enabled": true
    }
  }
}
Note

If single role is requested, that role is returned as the response. When requesting multiple roles, an object is returned holding the found roles, each keyed by the relevant role name.

Deleting a Role

To delete a role, submit a DELETE request to the /_xpack/security/role/<name> endpoint:

DELETE /_xpack/security/role/clicks_admin

File-based Role Management

Apart from the Role Management APIs roles can also be defined in local roles.yml file located in CONFIG_DIR/x-pack. This is a YAML file where each role definition is keyed by its name.

Important

If the same role name is used in the roles.yml file and through the Role Management APIs, the role found in the file will be used.

While the Role Management APIs is the preferred mechanism to define roles, using the roles.yml file becomes useful if you want to define fixed roles that no one (beside an administrator having physical access to the Elasticsearch nodes) would be able to change.

Important

The roles.yml file is managed locally by the node and is not globally by the cluster. This means that with a typical multi-node cluster, the exact same changes need to be applied on each and every node in the cluster.

A safer approach would be to apply the change on one of the nodes and have the roles.yml distributed/copied to all other nodes in the cluster (either manually or using a configuration management system such as Puppet or Chef).

The following snippet shows an example of the roles.yml file configuration:

click_admins:
  run_as: [ 'clicks_watcher_1' ]
  cluster: [ 'monitor' ]
  indices:
    - names: [ 'events-*' ]
      privileges: [ 'read' ]
      field_security:
        grant: ['category', '@timestamp', 'message' ]
      query: '{"match": {"category": "click"}}'

X-Pack security continuously monitors the roles.yml file and automatically picks up and apples any changes to it.