Inicio Explorar Ayuda
Iniciar sesión
lqb
/
elasticsearch
espejo de https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Archivos Incidencias 0 Wiki
Árbol: 39a0314d30
Ramas Etiquetas
elasticsearch
/
x-pack
/
docs
/
en
/
security
/
authorization
/
alias-privileges.asciidoc

alias-privileges.asciidoc 4.9 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163 
  1. [role="xpack"]
    2. 

  2. [[securing-aliases]]
    3. 

  3. === Granting privileges for data streams and index aliases
    4. 

  4. 

  5. {es} {security-features} allow you to secure operations executed against
    6. 

  6. <<data-streams,data streams>> and <<alias,aliases>>.
    7. 

  7. 

  8. [[data-stream-privileges]]
    9. 

  9. ==== Data stream privileges
    10. 

  10. 

  11. // tag::data-stream-security[]
    12. 

  12. 

  13. Use <<privileges-list-indices,indices privileges>> to control access to
    14. 

  14. a data stream. Any role or user granted privileges to a data
    15. 

  15. stream are automatically granted the same privileges to its backing indices.
    16. 

  16. // end::data-stream-security[]
    17. 

  17. 

  18. For example, `my-data-stream` consists of two backing indices:
    19. 

  19. `.ds-my-data-stream-2099.03.07-000001` and
    20. 

  20. `.ds-my-data-stream-2099.03.08-000002`.
    21. 

  21. 

  22. A user is granted the `read` privilege to `my-data-stream`.
    23. 

  23. 

  24. [source,js]
    25. 

  25. --------------------------------------------------
    26. 

  26. {
    27. 

  27.   "names" : [ "my-data-stream" ],
    28. 

  28.   "privileges" : [ "read" ]
    29. 

  29. }
    30. 

  30. --------------------------------------------------
    31. 

  31. // NOTCONSOLE
    32. 

  32. 

  33. Because the user is automatically granted the same privileges to the stream's
    34. 

  34. backing indices, the user can retrieve a document directly from
    35. 

  35. `.ds-my-data-stream-2099.03.08-000002`:
    36. 

  36. 

  37. ////
    38. 

  38. [source,console]
    39. 

  39. ----
    40. 

  40. PUT my-index/_doc/2
    41. 

  41. {
    42. 

  42.   "my-field": "foo"
    43. 

  43. }
    44. 

  44. ----
    45. 

  45. ////
    46. 

  46. 

  47. [source,console]
    48. 

  48. ----
    49. 

  49. GET .ds-my-data-stream-2099.03.08-000002/_doc/2
    50. 

  50. ----
    51. 

  51. // TEST[continued]
    52. 

  52. // TEST[s/.ds-my-data-stream-2099.03.08-000002/my-index/]
    53. 

  53. 

  54. Later `my-data-stream` <<manually-roll-over-a-data-stream,rolls over>>. This
    55. 

  55. creates a new backing index: `.ds-my-data-stream-2099.03.09-000003`. Because the
    56. 

  56. user still has the `read` privilege for `my-data-stream`, the user can retrieve
    57. 

  57. documents directly from `.ds-my-data-stream-2099.03.09-000003`:
    58. 

  58. 

  59. [source,console]
    60. 

  60. ----
    61. 

  61. GET .ds-my-data-stream-2099.03.09-000003/_doc/2
    62. 

  62. ----
    63. 

  63. // TEST[continued]
    64. 

  64. // TEST[s/.ds-my-data-stream-2099.03.09-000003/my-index/]
    65. 

  65. 

  66. [[index-alias-privileges]]
    67. 

  67. ==== Index alias privileges
    68. 

  68. 

  69. An index alias points to one or more indices,
    70. 

  70. holds metadata and potentially a filter. The {es} {security-features} treat
    71. 

  71. aliases and indices
    72. 

  72. the same. Privileges for indices actions are granted on specific indices or
    73. 

  73. aliases. In order for an indices action to be authorized, the user that executes
    74. 

  74. it needs to have permissions for that action on all the specific indices or
    75. 

  75. aliases that the request relates to.
    76. 

  76. 

  77. Let's look at an example. Assuming we have an index called `2015`, an alias that
    78. 

  78. points to it called `current_year`, and a user with the following role:
    79. 

  79. 

  80. [source,js]
    81. 

  81. --------------------------------------------------
    82. 

  82. {
    83. 

  83.   "names" : [ "2015" ],
    84. 

  84.   "privileges" : [ "read" ]
    85. 

  85. }
    86. 

  86. --------------------------------------------------
    87. 

  87. // NOTCONSOLE
    88. 

  88. 

  89. The user attempts to retrieve a document from `current_year`:
    90. 

  90. 

  91. [source,console]
    92. 

  92. -------------------------------------------------------------------------------
    93. 

  93. GET /current_year/_doc/1
    94. 

  94. -------------------------------------------------------------------------------
    95. 

  95. // TEST[s/^/PUT 2015\n{"aliases": {"current_year": {}}}\nPUT 2015\/_doc\/1\n{}\n/]
    96. 

  96. 

  97. The above request gets rejected, although the user has `read` privilege on the
    98. 

  98. concrete index that the `current_year` alias points to. The correct permission
    99. 

  99. would be as follows:
    100. 

  100. 

  101. [source,js]
    102. 

  102. --------------------------------------------------
    103. 

  103. {
    104. 

  104.   "names" : [ "current_year" ],
    105. 

  105.   "privileges" : [ "read" ]
    106. 

  106. }
    107. 

  107. --------------------------------------------------
    108. 

  108. // NOTCONSOLE
    109. 

  109. 

  110. [discrete]
    111. 

  111. ==== Managing aliases
    112. 

  112. 

  113. Unlike creating indices, which requires the `create_index` privilege, adding,
    114. 

  114. removing and retrieving aliases requires the `manage` permission. Aliases can be
    115. 

  115. added to an index directly as part of the index creation:
    116. 

  116. 

  117. [source,console]
    118. 

  118. -------------------------------------------------------------------------------
    119. 

  119. PUT /2015
    120. 

  120. {
    121. 

  121.   "aliases": {
    122. 

  122.     "current_year": {}
    123. 

  123.   }
    124. 

  124. }
    125. 

  125. -------------------------------------------------------------------------------
    126. 

  126. 

  127. or via the dedicated aliases api if the index already exists:
    128. 

  128. 

  129. [source,console]
    130. 

  130. -------------------------------------------------------------------------------
    131. 

  131. POST /_aliases
    132. 

  132. {
    133. 

  133.   "actions" : [
    134. 

  134.     { "add" : { "index" : "2015", "alias" : "current_year" } }
    135. 

  135.   ]
    136. 

  136. }
    137. 

  137. -------------------------------------------------------------------------------
    138. 

  138. // TEST[s/^/PUT 2015\n/]
    139. 

  139. 

  140. The above requests both require the `manage` privilege on the alias name as well
    141. 

  141. as the targeted index, as follows:
    142. 

  142. 

  143. [source,js]
    144. 

  144. --------------------------------------------------
    145. 

  145. {
    146. 

  146.   "names" : [ "20*", "current_year" ],
    147. 

  147.   "privileges" : [ "manage" ]
    148. 

  148. }
    149. 

  149. --------------------------------------------------
    150. 

  150. // NOTCONSOLE
    151. 

  151. 

  152. The index aliases api also allows also to delete aliases from existing indices.
    153. 

  153. The privileges required for such a request are the same as above. Both index and
    154. 

  154. alias need the `manage` permission.
    155. 

  155. 

  156. 

  157. [discrete]
    158. 

  158. ==== Filtered aliases
    159. 

  159. 

  160. Aliases can hold a filter, which allows to select a subset of documents that can
    161. 

  161. be accessed out of all the documents that the physical index contains. These
    162. 

  162. filters are not always applied and should not be used in place of
    163. 

  163. <<document-level-security,document level security>>.
    164.