Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: ff92296217
Branches Tags
elasticsearch
/
docs
/
reference
/
security
/
authorization
/
field-and-document-access-control.asciidoc

field-and-document-access-control.asciidoc 4.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485 
  1. [role="xpack"]
    2. 

  2. [[field-and-document-access-control]]
    3. 

  3. === Setting up field and document level security
    4. 

  4. 

  5. You can control access to data within a data stream or index by adding field and document level
    6. 

  6. security permissions to a role.
    7. 

  7. <<field-level-security,Field level security permissions>> restrict access to
    8. 

  8. particular fields within a document.
    9. 

  9. <<document-level-security,Document level security permissions>> restrict access
    10. 

  10. to particular documents.
    11. 

  11. 

  12. NOTE: Document and field level security is currently meant to operate with
    13. 

  13. read-only privileged accounts. Users with document and field level
    14. 

  14. security enabled for a data stream or index should not perform write operations.
    15. 

  15. 

  16. A role can define both field and document level permissions on a per-index basis.
    17. 

  17. A role that doesn’t specify field level permissions grants access to ALL fields.
    18. 

  18. Similarly, a role that doesn't specify document level permissions grants access
    19. 

  19. to ALL documents in the index.
    20. 

  20. 

  21. [IMPORTANT]
    22. 

  22. =====================================================================
    23. 

  23. When assigning users multiple roles, be careful that you don't inadvertently
    24. 

  24. grant wider access than intended. Each user has a single set of field level and
    25. 

  25. document level permissions per data stream or index. See <<multiple-roles-dls-fls>>.
    26. 

  26. =====================================================================
    27. 

  27. 

  28. [[multiple-roles-dls-fls]]
    29. 

  29. ==== Multiple roles with document and field level security
    30. 

  30. 

  31. A user can have many roles and each role can define different permissions on the
    32. 

  32. same data stream or index. It is important to understand the behavior of document and field
    33. 

  33. level security in this scenario.
    34. 

  34. 

  35. Document level security takes into account each role held by the user and
    36. 

  36. combines each document level security query for a given data stream or index with an "OR". This
    37. 

  37. means that only one of the role queries must match for a document to be returned.
    38. 

  38. For example, if a role grants access to an index without document level security
    39. 

  39. and another grants access with document level security, document level security
    40. 

  40. is not applied; the user with both roles has access to all of the documents in
    41. 

  41. the index.
    42. 

  42. 

  43. Field level security takes into account each role the user has and combines
    44. 

  44. all of the fields listed into a single set for each data stream or index. For example, if a
    45. 

  45. role grants access to an index without field level security and another grants
    46. 

  46. access with field level security, field level security is not be applied for
    47. 

  47. that index; the user with both roles has access to all of the fields in the
    48. 

  48. index.
    49. 

  49. 

  50. For example, let's say `role_a` grants access to only the `address` field of the
    51. 

  51. documents in `index1`; it doesn't specify any document restrictions. Conversely,
    52. 

  52. `role_b` limits access to a subset of the documents in `index1`; it doesn't
    53. 

  53. specify any field restrictions. If you assign a user both roles, `role_a` gives
    54. 

  54. the user access to all documents and `role_b` gives the user access to all
    55. 

  55. fields.
    56. 

  56. 

  57. If you need to restrict access to both documents and fields, consider splitting
    58. 

  58. documents by index instead.
    59. 

  59. 

  60. include::role-templates.asciidoc[]
    61. 

  61. include::set-security-user.asciidoc[]
    62. 

  62. 

  63. 

  64. [[ccx-apikeys-dls-fls]]
    65. 

  65. ==== Field and document level security with Cross-cluster API keys
    66. 

  66. 

  67. <<security-api-create-cross-cluster-api-key, Cross-Cluster API keys>> can be used to authenticate
    68. 

  68. requests to a remote cluster. The `search` parameter defines permissions for cross-cluster search.
    69. 

  69. The `replication` parameter defines permissions for cross-cluster replication.
    70. 

  70. 

  71. `replication` does not support any field or document level security. `search` supports field and document level security.
    72. 

  72. 

  73. For reasons similar to those described in <<multiple-roles-dls-fls,Multiple roles with document and field level security>>,
    74. 

  74. you can't create a single cross-cluster API key with both the `search` and `replication` parameters if the
    75. 

  75. `search` parameter has document or field level security defined.
    76. 

  76. 

  77. If you need to use both of these parameters, and you need to define document or field level security for the `search` parameter,
    78. 

  78. create two separate cross-cluster API keys, one using the `search` parameter,
    79. 

  79. and one using the `replication` parameter. You will also need to set up two different
    80. 

  80. remote connections to the same cluster, with each named connection using the appropriate cross-cluster API key.
    81. 

  81. 

  82. 

  83. 

  84. 

  85.