Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 747fa59a2c
Branches Tags
elasticsearch
/
docs
/
reference
/
security
/
authorization
/
document-level-security.asciidoc

document-level-security.asciidoc 2.1 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 
  1. [role="xpack"]
    2. 

  2. [[document-level-security]]
    3. 

  3. === Document level security
    4. 

  4. 

  5. Document level security restricts the documents that users have read access to.
    6. 

  6. In particular, it restricts which documents can be accessed from document-based
    7. 

  7. read APIs.
    8. 

  8. 

  9. To enable document level security, you use a query to specify the documents that
    10. 

  10. each role can access. The document `query` is associated with a particular data
    11. 

  11. stream, index, or wildcard (`*`) pattern and operates in conjunction with the
    12. 

  12. privileges specified for the data streams and indices.
    13. 

  13. 

  14. The specified document `query`:
    15. 

  15. 

  16. * Expects the same format as if it was defined in the search request
    17. 

  17. * Supports <<templating-role-query,templating a role query>> that can access
    18. 

  18. the details of the currently authenticated user
    19. 

  19. * Accepts queries written as either string values or nested JSON
    20. 

  20. * Supports the majority of the {es}
    21. 

  21. <<query-dsl,Query Domain Specific Language (DSL)>>, with <<field-document-limitations,some limitations>> for field and document level security
    22. 

  22. 

  23. IMPORTANT: Omitting the `query` parameter entirely disables document level
    24. 

  24. security for the respective indices permission entry.
    25. 

  25. 

  26. The following role definition grants read access only to documents that
    27. 

  27. belong to the `click` category within all the `events-*` data streams and indices:
    28. 

  28. 

  29. [source,console]
    30. 

  30. ----
    31. 

  31. POST /_security/role/click_role
    32. 

  32. {
    33. 

  33.   "indices": [
    34. 

  34.     {
    35. 

  35.       "names": [ "events-*" ],
    36. 

  36.       "privileges": [ "read" ],
    37. 

  37.       "query": "{\"match\": {\"category\": \"click\"}}"
    38. 

  38.     }
    39. 

  39.   ]
    40. 

  40. }
    41. 

  41. ----
    42. 

  42. 

  43. You can write this same query using nested JSON syntax:
    44. 

  44. 

  45. [source,console]
    46. 

  46. ----
    47. 

  47. POST _security/role/click_role
    48. 

  48. {
    49. 

  49.   "indices": [
    50. 

  50.     {
    51. 

  51.       "names": [ "events-*" ],
    52. 

  52.       "privileges": [ "read" ],
    53. 

  53.       "query": {
    54. 

  54.         "match": {
    55. 

  55.           "category": "click"
    56. 

  56.         }
    57. 

  57.       }
    58. 

  58.     }
    59. 

  59.   ]
    60. 

  60. }
    61. 

  61. ----
    62. 

  62. 

  63. The following role grants read access only to the documents whose
    64. 

  64. `department_id` equals `12`:
    65. 

  65. 

  66. [source,console]
    67. 

  67. ----
    68. 

  68. POST /_security/role/dept_role
    69. 

  69. {
    70. 

  70.   "indices" : [
    71. 

  71.     {
    72. 

  72.       "names" : [ "*" ],
    73. 

  73.       "privileges" : [ "read" ],
    74. 

  74.       "query" : {
    75. 

  75.         "term" : { "department_id" : 12 }
    76. 

  76.       }
    77. 

  77.     }
    78. 

  78.   ]
    79. 

  79. }
    80. 

  80. ----
    81.