Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 0c500e5264
Branches Tags
elasticsearch
/
docs
/
reference
/
rest-api
/
security
/
create-roles.asciidoc

create-roles.asciidoc 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181 
  1. [role="xpack"]
    2. 

  2. [[security-api-put-role]]
    3. 

  3. === Create or update roles API
    4. 

  4. ++++
    5. 

  5. <titleabbrev>Create or update roles</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. Adds and updates roles in the native realm.
    9. 

  9. 

  10. [[security-api-put-role-request]]
    11. 

  11. ==== {api-request-title}
    12. 

  12. 

  13. `POST /_security/role/<name>` +
    14. 

  14. 

  15. `PUT /_security/role/<name>`
    16. 

  16. 

  17. 

  18. [[security-api-put-role-prereqs]]
    19. 

  19. ==== {api-prereq-title}
    20. 

  20. 

  21. * To use this API, you must have at least the `manage_security` cluster
    22. 

  22. privilege.
    23. 

  23. 

  24. [[security-api-put-role-desc]]
    25. 

  25. ==== {api-description-title}
    26. 

  26. 

  27. The role management APIs are generally the preferred way to manage roles, rather than using
    28. 

  28. <<roles-management-file,file-based role management>>. The create
    29. 

  29. or update roles API cannot update roles that are defined in roles files.
    30. 

  30. 

  31. [[security-api-put-role-path-params]]
    32. 

  32. ==== {api-path-parms-title}
    33. 

  33. 

  34. `name`::
    35. 

  35.   (string) The name of the role.
    36. 

  36. 

  37. 

  38. [[security-api-put-role-request-body]]
    39. 

  39. ==== {api-request-body-title}
    40. 

  40. 

  41. The following parameters can be specified in the body of a PUT or POST request
    42. 

  42. and pertain to adding a role:
    43. 

  43. 

  44. `applications`:: (list) A list of application privilege entries.
    45. 

  45. `application` (required)::: (string) The name of the application to which this entry applies
    46. 

  46. `privileges`::: (list) A list of strings, where each element is the name of an application
    47. 

  47. privilege or action.
    48. 

  48. `resources`::: (list) A list resources to which the privileges are applied.
    49. 

  49. 

  50. `cluster`:: (list) A list of cluster privileges. These privileges define the
    51. 

  51. cluster level actions that users with this role are able to execute.
    52. 

  52. 

  53. `global`:: (object) An object defining global privileges. A global privilege is
    54. 

  54. a form of cluster privilege that is request-aware. Support for global privileges
    55. 

  55. is currently limited to the management of application privileges.
    56. 

  56. This field is optional.
    57. 

  57. 

  58. `indices`:: (list) A list of indices permissions entries.
    59. 

  59. `field_security`::: (object) The document fields that the owners of the role have
    60. 

  60. read access to. For more information, see
    61. 

  61. <<field-and-document-access-control>>.
    62. 

  62. `names` (required)::: (list) A list of indices (or index name patterns) to which the
    63. 

  63. permissions in this entry apply.
    64. 

  64. `privileges`(required)::: (list) The index level privileges that the owners of the role
    65. 

  65. have on the specified indices.
    66. 

  66. `query`::: A search query that defines the documents the owners of the role have
    67. 

  67. read access to. A document within the specified indices must match this query in
    68. 

  68. order for it to be accessible by the owners of the role.
    69. 

  69. 

  70. `metadata`:: (object) Optional meta-data. Within the `metadata` object, keys
    71. 

  71. that begin with `_` are reserved for system usage.
    72. 

  72. 

  73. `run_as`:: (list) A list of users that the owners of this role can impersonate.
    74. 

  74. For more information, see
    75. 

  75. <<run-as-privilege>>.
    76. 

  76. 

  77. `remote_indices`:: (list) A list of remote indices permissions entries.
    78. 

  78. +
    79. 

  79. --
    80. 

  80. NOTE: Remote indices are effective for <<remote-clusters-api-key,remote clusters configured with the API key based model>>.
    81. 

  81. They have no effect for remote clusters configured with the <<remote-clusters-cert,certificate based model>>.
    82. 

  82. --
    83. 

  83. `clusters` (required)::: (list) A list of cluster aliases to which the permissions
    84. 

  84. in this entry apply.
    85. 

  85. `field_security`::: (object) The document fields that the owners of the role have
    86. 

  86. read access to. For more information, see
    87. 

  87. <<field-and-document-access-control>>.
    88. 

  88. `names` (required)::: (list) A list of indices (or index name patterns) on the remote clusters
    89. 

  89. (specified with `clusters`) to which the permissions in this entry apply.
    90. 

  90. `privileges`(required)::: (list) The index level privileges that the owners of the role
    91. 

  91. have on the specified indices.
    92. 

  92. `query`::: A search query that defines the documents the owners of the role have
    93. 

  93. read access to. A document within the specified indices must match this query in
    94. 

  94. order for it to be accessible by the owners of the role.
    95. 

  95. 

  96. For more information, see <<defining-roles>>.
    97. 

  97. 

  98. [[security-api-put-role-example]]
    99. 

  99. ==== {api-examples-title}
    100. 

  100. 

  101. The following example adds a role called `my_admin_role`:
    102. 

  102. 

  103. [source,console]
    104. 

  104. --------------------------------------------------
    105. 

  105. POST /_security/role/my_admin_role
    106. 

  106. {
    107. 

  107.   "cluster": ["all"],
    108. 

  108.   "indices": [
    109. 

  109.     {
    110. 

  110.       "names": [ "index1", "index2" ],
    111. 

  111.       "privileges": ["all"],
    112. 

  112.       "field_security" : { // optional
    113. 

  113.         "grant" : [ "title", "body" ]
    114. 

  114.       },
    115. 

  115.       "query": "{\"match\": {\"title\": \"foo\"}}" // optional
    116. 

  116.     }
    117. 

  117.   ],
    118. 

  118.   "applications": [
    119. 

  119.     {
    120. 

  120.       "application": "myapp",
    121. 

  121.       "privileges": [ "admin", "read" ],
    122. 

  122.       "resources": [ "*" ]
    123. 

  123.     }
    124. 

  124.   ],
    125. 

  125.   "run_as": [ "other_user" ], // optional
    126. 

  126.   "metadata" : { // optional
    127. 

  127.     "version" : 1
    128. 

  128.   }
    129. 

  129. }
    130. 

  130. --------------------------------------------------
    131. 

  131. 

  132. A successful call returns a JSON structure that shows whether the role has been
    133. 

  133. created or updated.
    134. 

  134. 

  135. [source,console-result]
    136. 

  136. --------------------------------------------------
    137. 

  137. {
    138. 

  138.   "role": {
    139. 

  139.     "created": true <1>
    140. 

  140.   }
    141. 

  141. }
    142. 

  142. --------------------------------------------------
    143. 

  143. 

  144. <1> When an existing role is updated, `created` is set to false.
    145. 

  145. 

  146. The following example configures a role that can run SQL in JDBC:
    147. 

  147. 

  148. // tag::sql-queries-permission[]
    149. 

  149. [source,console]
    150. 

  150. --------------------------------------------------
    151. 

  151. POST /_security/role/cli_or_drivers_minimal
    152. 

  152. {
    153. 

  153.   "cluster": ["cluster:monitor/main"],
    154. 

  154.   "indices": [
    155. 

  155.     {
    156. 

  156.       "names": ["test"],
    157. 

  157.       "privileges": ["read", "indices:admin/get"]
    158. 

  158.     }
    159. 

  159.   ]
    160. 

  160. }
    161. 

  161. --------------------------------------------------
    162. 

  162. // end::sql-queries-permission[]
    163. 

  163. 

  164. The following example configures a role with remote indices privileges on a remote cluster:
    165. 

  165. [source,console]
    166. 

  166. --------------------------------------------------
    167. 

  167. POST /_security/role/role_with_remote_indices
    168. 

  168. {
    169. 

  169.   "remote_indices": [
    170. 

  170.     {
    171. 

  171.       "clusters": [ "my_remote" ], <1>
    172. 

  172.       "names": ["logs*"], <2>
    173. 

  173.       "privileges": ["read", "read_cross_cluster", "view_index_metadata"] <3>
    174. 

  174.     }
    175. 

  175.   ]
    176. 

  176. }
    177. 

  177. --------------------------------------------------
    178. 

  178. 

  179. <1> The remote indices privileges apply to remote cluster with the alias `my_remote`.
    180. 

  180. <2> Privileges are granted for indices matching pattern `logs*` on the remote cluster ( `my_remote`).
    181. 

  181. <3> The actual <<privileges-list-indices,index privileges>> granted for `logs*` on `my_remote`.
    182.