5 # '<indexname or alias>':
13 # When a user make a request to Elasticsearch then the following roles will be evaluated to see if the user has
14 # permissions for the request. A request is always associated with an action and is executed against and index (or alias)
15 # and a type. If a request is executed against all indices (or all types) then the asterix ('*') is needed.
16 # Every role a user has will be examined if it allows the action against an index (or type). At least one role must match
17 # for the request to be successful. If no role match then the request will be denied. Currently a match must happen within
18 # one single role - that means that permissions can not span multiple roles.
20 # For <permission>, <indexname or alias> and <type> simple wildcards and regular expressions are possible.
21 # A asterix (*) will match any character sequence (or an empty sequence)
22 # A question mark (?) will match any single character (but NOT empty character)
23 # Example: '*my*index' will match 'my_first_index' as well as 'myindex' but not 'myindex1'
24 # Example: '?kibana' will match '.kibana' but not 'kibana'
26 # To use a full blown regex you have to pre- and apend a '/' to use regex instead of simple wildcards
28 # Example: '/\S*/' will match any non whitespace characters
31 # Index, alias or type names can not contain dots (.) in the <indexname or alias> or <type> expression.
32 # Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys.
33 # Workaround: Just configure something like '?kibana' instead of '.kibana' or 'my?index' instead of 'my.index'
34 # This limitation will likely removed with Search Guard 6
36 # DLS (Document level security) - NOT FREE FOR COMMERCIAL
37 # http://docs.search-guard.com/v6/document-level-security
39 # FLS (Field level security) - NOT FREE FOR COMMERCIAL
40 # http://docs.search-guard.com/v6/field-level-security
42 # Kibana multitenancy - NOT FREE FOR COMMERCIAL
43 # http://docs.search-guard.com/v6/kibana-multi-tenancy
45 # Allows everything, but no changes to searchguard configuration index
57 # Read all, but no write permissions
61 - CLUSTER_COMPOSITE_OPS_RO
67 # Read all and monitor, but no write permissions
68 sg_readall_and_monitor:
71 - CLUSTER_COMPOSITE_OPS_RO
77 # For users which use kibana, access to indices must be granted separately
82 - CLUSTER_COMPOSITE_OPS
110 - indices:data/read/field_caps*
111 - indices:data/read/xpack/rollup*
112 - indices:admin/mappings/get*
115 # For the kibana server
120 - CLUSTER_COMPOSITE_OPS
121 - cluster:admin/xpack/monitoring*
122 - indices:admin/template*
123 - indices:data/read/scroll*
143 '?management-beats*':
148 - "indices:admin/aliases*"
150 # For logstash and beats
155 - CLUSTER_COMPOSITE_OPS
156 - indices:admin/template/get
157 - indices:admin/template/put
175 # Allows adding and modifying repositories and creating and restoring snapshots
182 - "indices:data/write/index"
183 - "indices:admin/create"
185 # Allows each user to access own named index
188 - CLUSTER_COMPOSITE_OPS
194 ### X-Pack COMPATIBILITY
198 - cluster:monitor/xpack/info
199 - cluster:monitor/main
200 - cluster:admin/xpack/monitoring/bulk
209 - indices:data/read/scroll
210 - cluster:admin/xpack/watcher*
211 - cluster:monitor/xpack/watcher*
216 '?watcher-history-*':
219 '?triggered_watches':
225 - indices:admin/aliases/get
227 sg_xp_machine_learning:
230 - cluster:admin/persistent*
231 - cluster:internal/xpack/ml*
232 - indices:data/read/scroll*
233 - cluster:admin/xpack/ml*
234 - cluster:monitor/xpack/ml*
245 ### LEGACY ROLES, FOR COMPATIBILITY ONLY
246 ### WILL BE REMOVED IN SG7, DO NOT USE ANYMORE
248 sg_readonly_and_monitor:
251 - CLUSTER_COMPOSITE_OPS_RO
257 # Make xpack monitoring work
260 - cluster:admin/xpack/monitoring/*
261 - cluster:admin/ingest/pipeline/put
262 - cluster:admin/ingest/pipeline/get
263 - indices:admin/template/get
264 - indices:admin/template/put
266 - CLUSTER_COMPOSITE_OPS
279 - indices:data/read/field_caps
281 # Make xpack alerting work
284 - indices:data/read/scroll
285 - cluster:admin/xpack/watcher/watch/put
286 - cluster:admin/xpack/watcher*
288 - CLUSTER_COMPOSITE_OPS
296 '?watcher-history-*':
299 '?triggered_watches':