5 # '<indexname or alias>':
13 # When a user make a request to Elasticsearch then the following roles will be evaluated to see if the user has
14 # permissions for the request. A request is always associated with an action and is executed against and index (or alias)
15 # and a type. If a request is executed against all indices (or all types) then the asterix ('*') is needed.
16 # Every role a user has will be examined if it allows the action against an index (or type). At least one role must match
17 # for the request to be successful. If no role match then the request will be denied. Currently a match must happen within
18 # one single role - that means that permissions can not span multiple roles.
20 # For <permission>, <indexname or alias> and <type> simple wildcards and regular expressions are possible.
21 # A asterix (*) will match any character sequence (or an empty sequence)
22 # A question mark (?) will match any single character (but NOT empty character)
23 # Example: '*my*index' will match 'my_first_index' as well as 'myindex' but not 'myindex1'
24 # Example: '?kibana' will match '.kibana' but not 'kibana'
26 # To use a full blown regex you have to pre- and apend a '/' to use regex instead of simple wildcards
28 # Example: '/\S*/' will match any non whitespace characters
31 # Index, alias or type names can not contain dots (.) in the <indexname or alias> or <type> expression.
32 # Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys.
33 # Workaround: Just configure something like '?kibana' instead of '.kibana' or 'my?index' instead of 'my.index'
34 # This limitation will likely removed with Search Guard 6
36 # Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free;
37 # see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration
38 # file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's
39 # license details before enabling any additional features here.
41 # Allows everything, but no changes to searchguard configuration index
53 # Read all, but no write permissions
57 - CLUSTER_COMPOSITE_OPS_RO
63 # Read all and monitor, but no write permissions
64 sg_readall_and_monitor:
67 - CLUSTER_COMPOSITE_OPS_RO
73 # For users which use kibana, access to indices must be granted separately
78 - CLUSTER_COMPOSITE_OPS
106 - indices:data/read/field_caps*
107 - indices:data/read/xpack/rollup*
108 - indices:admin/mappings/get*
111 # For the kibana server
116 - CLUSTER_COMPOSITE_OPS
117 - cluster:admin/xpack/monitoring*
118 - indices:admin/template*
119 - indices:data/read/scroll*
139 '?management-beats*':
144 - "indices:admin/aliases*"
146 # For logstash and beats
151 - CLUSTER_COMPOSITE_OPS
152 - indices:admin/template/get
153 - indices:admin/template/put
171 # Allows adding and modifying repositories and creating and restoring snapshots
178 - "indices:data/write/index"
179 - "indices:admin/create"
181 # Allows each user to access own named index
184 - CLUSTER_COMPOSITE_OPS
190 ### X-Pack COMPATIBILITY
194 - cluster:monitor/xpack/info
195 - cluster:monitor/main
196 - cluster:admin/xpack/monitoring/bulk
205 - indices:data/read/scroll
206 - cluster:admin/xpack/watcher*
207 - cluster:monitor/xpack/watcher*
212 '?watcher-history-*':
215 '?triggered_watches':
221 - indices:admin/aliases/get
223 sg_xp_machine_learning:
226 - cluster:admin/persistent*
227 - cluster:internal/xpack/ml*
228 - indices:data/read/scroll*
229 - cluster:admin/xpack/ml*
230 - cluster:monitor/xpack/ml*
241 ### LEGACY ROLES, FOR COMPATIBILITY ONLY
242 ### WILL BE REMOVED IN SG7, DO NOT USE ANYMORE
244 sg_readonly_and_monitor:
247 - CLUSTER_COMPOSITE_OPS_RO
253 # Make xpack monitoring work
256 - cluster:admin/xpack/monitoring/*
257 - cluster:admin/ingest/pipeline/put
258 - cluster:admin/ingest/pipeline/get
259 - indices:admin/template/get
260 - indices:admin/template/put
262 - CLUSTER_COMPOSITE_OPS
275 - indices:data/read/field_caps
277 # Make xpack alerting work
280 - indices:data/read/scroll
281 - cluster:admin/xpack/watcher/watch/put
282 - cluster:admin/xpack/watcher*
284 - CLUSTER_COMPOSITE_OPS
292 '?watcher-history-*':
295 '?triggered_watches':