5 # '<indexname or alias>':
13 # When a user make a request to Elasticsearch then the following roles will be evaluated to see if the user has
14 # permissions for the request. A request is always associated with an action and is executed against and index (or alias)
15 # and a type. If a request is executed against all indices (or all types) then the asterix ('*') is needed.
16 # Every role a user has will be examined if it allows the action against an index (or type). At least one role must match
17 # for the request to be successful. If no role match then the request will be denied. Currently a match must happen within
18 # one single role - that means that permissions can not span multiple roles.
20 # For <permission>, <indexname or alias> and <type> simple wildcards and regular expressions are possible.
21 # A asterix (*) will match any character sequence (or an empty sequence)
22 # A question mark (?) will match any single character (but NOT empty character)
23 # Example: '*my*index' will match 'my_first_index' as well as 'myindex' but not 'myindex1'
24 # Example: '?kibana' will match '.kibana' but not 'kibana'
26 # To use a full blown regex you have to pre- and apend a '/' to use regex instead of simple wildcards
28 # Example: '/\S*/' will match any non whitespace characters
31 # Index, alias or type names can not contain dots (.) in the <indexname or alias> or <type> expression.
32 # Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys.
33 # Workaround: Just configure something like '?kibana' instead of '.kibana' or 'my?index' instead of 'my.index'
34 # This limitation will likely removed with Search Guard 6
37 # Allows everything, but no changes to searchguard configuration index
49 # Read all, but no write permissions
53 - CLUSTER_COMPOSITE_OPS_RO
59 # Read all and monitor, but no write permissions
60 sg_readall_and_monitor:
63 - CLUSTER_COMPOSITE_OPS_RO
69 # For users which use kibana, access to indices must be granted separately
74 - CLUSTER_COMPOSITE_OPS
102 - indices:data/read/field_caps*
103 - indices:data/read/xpack/rollup*
104 - indices:admin/mappings/get*
107 # For the kibana server
112 - CLUSTER_COMPOSITE_OPS
113 - cluster:admin/xpack/monitoring*
114 - indices:admin/template*
115 - indices:data/read/scroll*
135 '?management-beats*':
140 - "indices:admin/aliases*"
142 # For logstash and beats
147 - CLUSTER_COMPOSITE_OPS
148 - indices:admin/template/get
149 - indices:admin/template/put
167 # Allows adding and modifying repositories and creating and restoring snapshots
174 - "indices:data/write/index"
175 - "indices:admin/create"
177 # Allows each user to access own named index
180 - CLUSTER_COMPOSITE_OPS
186 ### X-Pack COMPATIBILITY
190 - cluster:monitor/xpack/info
191 - cluster:monitor/main
192 - cluster:admin/xpack/monitoring/bulk
201 - indices:data/read/scroll
202 - cluster:admin/xpack/watcher*
203 - cluster:monitor/xpack/watcher*
208 '?watcher-history-*':
211 '?triggered_watches':
217 - indices:admin/aliases/get
219 sg_xp_machine_learning:
222 - cluster:admin/persistent*
223 - cluster:internal/xpack/ml*
224 - indices:data/read/scroll*
225 - cluster:admin/xpack/ml*
226 - cluster:monitor/xpack/ml*
237 ### LEGACY ROLES, FOR COMPATIBILITY ONLY
238 ### WILL BE REMOVED IN SG7, DO NOT USE ANYMORE
240 sg_readonly_and_monitor:
243 - CLUSTER_COMPOSITE_OPS_RO
249 # Make xpack monitoring work
252 - cluster:admin/xpack/monitoring/*
253 - cluster:admin/ingest/pipeline/put
254 - cluster:admin/ingest/pipeline/get
255 - indices:admin/template/get
256 - indices:admin/template/put
258 - CLUSTER_COMPOSITE_OPS
271 - indices:data/read/field_caps
273 # Make xpack alerting work
276 - indices:data/read/scroll
277 - cluster:admin/xpack/watcher/watch/put
278 - cluster:admin/xpack/watcher*
280 - CLUSTER_COMPOSITE_OPS
288 '?watcher-history-*':
291 '?triggered_watches':