[role="xpack"]
[[securing-aliases]]
=== Granting privileges for data streams and aliases

{es} {security-features} allow you to secure operations executed against
<<data-streams,data streams>> and <<aliases,aliases>>.

[[data-stream-privileges]]
==== Data stream privileges

// tag::data-stream-security[]
Use <<privileges-list-indices,index privileges>> to control access to a data
stream. Granting privileges on a data stream grants the same privileges on its
backing indices.
// end::data-stream-security[]

For example, `my-data-stream` consists of two backing indices:
`.ds-my-data-stream-2099.03.07-000001` and
`.ds-my-data-stream-2099.03.08-000002`.

A user is granted the `read` privilege to `my-data-stream`.

[source,js]
--------------------------------------------------
{
  "names" : [ "my-data-stream" ],
  "privileges" : [ "read" ]
}
--------------------------------------------------
// NOTCONSOLE

Because the user is automatically granted the same privileges to the stream's
backing indices, the user can retrieve a document directly from
`.ds-my-data-stream-2099.03.08-000002`:

////
[source,console]
----
PUT my-index/_doc/2
{
  "my-field": "foo"
}
----
////

[source,console]
----
GET .ds-my-data-stream-2099.03.08-000002/_doc/2
----
// TEST[continued]
// TEST[s/.ds-my-data-stream-2099.03.08-000002/my-index/]

Later `my-data-stream` <<manually-roll-over-a-data-stream,rolls over>>. This
creates a new backing index: `.ds-my-data-stream-2099.03.09-000003`. Because the
user still has the `read` privilege for `my-data-stream`, the user can retrieve
documents directly from `.ds-my-data-stream-2099.03.09-000003`:

[source,console]
----
GET .ds-my-data-stream-2099.03.09-000003/_doc/2
----
// TEST[continued]
// TEST[s/.ds-my-data-stream-2099.03.09-000003/my-index/]

[[index-alias-privileges]]
==== Alias privileges

Use <<privileges-list-indices,index privileges>> to control access to an
<<aliases,alias>>. Privileges on an index or data stream do not grant privileges
on its aliases. For information about managing aliases, see <<aliases>>.

IMPORTANT: Don't use <<filter-alias,filtered aliases>> in place of
<<document-level-security,document level security>>. {es} doesn't always apply
alias filters.

For example, the `current_year` alias points only to the `2015` index. A user is
granted the `read` privilege for the `2015` index.

[source,js]
----
{
  "names" : [ "2015" ],
  "privileges" : [ "read" ]
}
----
// NOTCONSOLE

When the user attempts to retrieve a document from the `current_year` alias,
{es} rejects the request.

[source,console]
----
GET current_year/_doc/1
----
// TEST[s/^/PUT 2015\n{"aliases": {"current_year": {}}}\nPUT 2015\/_doc\/1\n{}\n/]

To retrieve documents from `current_year`, the user must have the `read` index
privilege for the alias.

[source,js]
----
{
  "names" : [ "current_year" ],
  "privileges" : [ "read" ]
}
----
// NOTCONSOLE