首页 发现 帮助
注册 登录
lqb
/
elasticsearch
镜像自地址 https://gitee.com/mirrors/elasticsearch.git
1
0
派生 0
文件 工单管理 0 Wiki
目录树: 77ce60530c
分支列表 标签列表
elasticsearch
/
docs
/
reference
/
rest-api
/
security
/
create-roles.asciidoc

create-roles.asciidoc 6.2 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185 
  1. [role="xpack"]
    2. 

  2. [[security-api-put-role]]
    3. 

  3. === Create or update roles API
    4. 

  4. ++++
    5. 

  5. <titleabbrev>Create or update roles</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. Adds and updates roles in the native realm.
    9. 

  9. 

  10. [[security-api-put-role-request]]
    11. 

  11. ==== {api-request-title}
    12. 

  12. 

  13. `POST /_security/role/<name>` +
    14. 

  14. 

  15. `PUT /_security/role/<name>`
    16. 

  16. 

  17. 

  18. [[security-api-put-role-prereqs]]
    19. 

  19. ==== {api-prereq-title}
    20. 

  20. 

  21. * To use this API, you must have at least the `manage_security` cluster
    22. 

  22. privilege.
    23. 

  23. 

  24. [[security-api-put-role-desc]]
    25. 

  25. ==== {api-description-title}
    26. 

  26. 

  27. The role management APIs are generally the preferred way to manage roles, rather than using
    28. 

  28. <<roles-management-file,file-based role management>>. The create
    29. 

  29. or update roles API cannot update roles that are defined in roles files.
    30. 

  30. 

  31. [[security-api-put-role-path-params]]
    32. 

  32. ==== {api-path-parms-title}
    33. 

  33. 

  34. `name`::
    35. 

  35.   (string) The name of the role.
    36. 

  36. 

  37. 

  38. [[security-api-put-role-request-body]]
    39. 

  39. ==== {api-request-body-title}
    40. 

  40. 

  41. The following parameters can be specified in the body of a PUT or POST request
    42. 

  42. and pertain to adding a role:
    43. 

  43. 

  44. `applications`:: (list) A list of application privilege entries.
    45. 

  45. `application` (required)::: (string) The name of the application to which this entry applies
    46. 

  46. `privileges`::: (list) A list of strings, where each element is the name of an application
    47. 

  47. privilege or action.
    48. 

  48. `resources`::: (list) A list resources to which the privileges are applied.
    49. 

  49. 

  50. `cluster`:: (list) A list of cluster privileges. These privileges define the
    51. 

  51. cluster level actions that users with this role are able to execute.
    52. 

  52. 

  53. `description`:: (string) A description of the role.
    54. 

  54. The maximum length is `1000` chars.
    55. 

  55. 

  56. `global`:: (object) An object defining global privileges. A global privilege is
    57. 

  57. a form of cluster privilege that is request-aware. Support for global privileges
    58. 

  58. is currently limited to the management of application privileges.
    59. 

  59. This field is optional.
    60. 

  60. 

  61. `indices`:: (list) A list of indices permissions entries.
    62. 

  62. `field_security`::: (object) The document fields that the owners of the role have
    63. 

  63. read access to. For more information, see
    64. 

  64. <<field-and-document-access-control>>.
    65. 

  65. `names` (required)::: (list) A list of indices (or index name patterns) to which the
    66. 

  66. permissions in this entry apply.
    67. 

  67. `privileges`(required)::: (list) The index level privileges that the owners of the role
    68. 

  68. have on the specified indices.
    69. 

  69. `query`::: A search query that defines the documents the owners of the role have
    70. 

  70. read access to. A document within the specified indices must match this query in
    71. 

  71. order for it to be accessible by the owners of the role.
    72. 

  72. 

  73. `metadata`:: (object) Optional meta-data. Within the `metadata` object, keys
    74. 

  74. that begin with `_` are reserved for system usage.
    75. 

  75. 

  76. `run_as`:: (list) A list of users that the owners of this role can impersonate.
    77. 

  77. For more information, see
    78. 

  78. <<run-as-privilege>>.
    79. 

  79. 

  80. `remote_indices`:: (list) A list of remote indices permissions entries.
    81. 

  81. +
    82. 

  82. --
    83. 

  83. NOTE: Remote indices are effective for <<remote-clusters-api-key,remote clusters configured with the API key based model>>.
    84. 

  84. They have no effect for remote clusters configured with the <<remote-clusters-cert,certificate based model>>.
    85. 

  85. --
    86. 

  86. `clusters` (required)::: (list) A list of cluster aliases to which the permissions
    87. 

  87. in this entry apply.
    88. 

  88. `field_security`::: (object) The document fields that the owners of the role have
    89. 

  89. read access to. For more information, see
    90. 

  90. <<field-and-document-access-control>>.
    91. 

  91. `names` (required)::: (list) A list of indices (or index name patterns) on the remote clusters
    92. 

  92. (specified with `clusters`) to which the permissions in this entry apply.
    93. 

  93. `privileges`(required)::: (list) The index level privileges that the owners of the role
    94. 

  94. have on the specified indices.
    95. 

  95. `query`::: A search query that defines the documents the owners of the role have
    96. 

  96. read access to. A document within the specified indices must match this query in
    97. 

  97. order for it to be accessible by the owners of the role.
    98. 

  98. 

  99. For more information, see <<defining-roles>>.
    100. 

  100. 

  101. [[security-api-put-role-example]]
    102. 

  102. ==== {api-examples-title}
    103. 

  103. 

  104. The following example adds a role called `my_admin_role`:
    105. 

  105. 

  106. [source,console]
    107. 

  107. --------------------------------------------------
    108. 

  108. POST /_security/role/my_admin_role
    109. 

  109. {
    110. 

  110.   "description": "Grants full access to all management features within the cluster.",
    111. 

  111.   "cluster": ["all"],
    112. 

  112.   "indices": [
    113. 

  113.     {
    114. 

  114.       "names": [ "index1", "index2" ],
    115. 

  115.       "privileges": ["all"],
    116. 

  116.       "field_security" : { // optional
    117. 

  117.         "grant" : [ "title", "body" ]
    118. 

  118.       },
    119. 

  119.       "query": "{\"match\": {\"title\": \"foo\"}}" // optional
    120. 

  120.     }
    121. 

  121.   ],
    122. 

  122.   "applications": [
    123. 

  123.     {
    124. 

  124.       "application": "myapp",
    125. 

  125.       "privileges": [ "admin", "read" ],
    126. 

  126.       "resources": [ "*" ]
    127. 

  127.     }
    128. 

  128.   ],
    129. 

  129.   "run_as": [ "other_user" ], // optional
    130. 

  130.   "metadata" : { // optional
    131. 

  131.     "version" : 1
    132. 

  132.   }
    133. 

  133. }
    134. 

  134. --------------------------------------------------
    135. 

  135. 

  136. A successful call returns a JSON structure that shows whether the role has been
    137. 

  137. created or updated.
    138. 

  138. 

  139. [source,console-result]
    140. 

  140. --------------------------------------------------
    141. 

  141. {
    142. 

  142.   "role": {
    143. 

  143.     "created": true <1>
    144. 

  144.   }
    145. 

  145. }
    146. 

  146. --------------------------------------------------
    147. 

  147. 

  148. <1> When an existing role is updated, `created` is set to false.
    149. 

  149. 

  150. The following example configures a role that can run SQL in JDBC:
    151. 

  151. 

  152. // tag::sql-queries-permission[]
    153. 

  153. [source,console]
    154. 

  154. --------------------------------------------------
    155. 

  155. POST /_security/role/cli_or_drivers_minimal
    156. 

  156. {
    157. 

  157.   "cluster": ["cluster:monitor/main"],
    158. 

  158.   "indices": [
    159. 

  159.     {
    160. 

  160.       "names": ["test"],
    161. 

  161.       "privileges": ["read", "indices:admin/get"]
    162. 

  162.     }
    163. 

  163.   ]
    164. 

  164. }
    165. 

  165. --------------------------------------------------
    166. 

  166. // end::sql-queries-permission[]
    167. 

  167. 

  168. The following example configures a role with remote indices privileges on a remote cluster:
    169. 

  169. [source,console]
    170. 

  170. --------------------------------------------------
    171. 

  171. POST /_security/role/role_with_remote_indices
    172. 

  172. {
    173. 

  173.   "remote_indices": [
    174. 

  174.     {
    175. 

  175.       "clusters": [ "my_remote" ], <1>
    176. 

  176.       "names": ["logs*"], <2>
    177. 

  177.       "privileges": ["read", "read_cross_cluster", "view_index_metadata"] <3>
    178. 

  178.     }
    179. 

  179.   ]
    180. 

  180. }
    181. 

  181. --------------------------------------------------
    182. 

  182. 

  183. <1> The remote indices privileges apply to remote cluster with the alias `my_remote`.
    184. 

  184. <2> Privileges are granted for indices matching pattern `logs*` on the remote cluster ( `my_remote`).
    185. 

  185. <3> The actual <<privileges-list-indices,index privileges>> granted for `logs*` on `my_remote`.
    186.