mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-04-25 07:37:19 -04:00
255c9a7f95
**Problem:** For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`. **Solution:** - Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory - Update doc snippet tests to use security Rel: https://github.com/elastic/platform-docs-team/issues/208
107 lines
2.8 KiB
Text
107 lines
2.8 KiB
Text
[role="xpack"]
|
|
[[securing-aliases]]
|
|
=== Granting privileges for data streams and aliases
|
|
|
|
{es} {security-features} allow you to secure operations executed against
|
|
<<data-streams,data streams>> and <<aliases,aliases>>.
|
|
|
|
[[data-stream-privileges]]
|
|
==== Data stream privileges
|
|
|
|
// tag::data-stream-security[]
|
|
Use <<privileges-list-indices,index privileges>> to control access to a data
|
|
stream. Granting privileges on a data stream grants the same privileges on its
|
|
backing indices.
|
|
// end::data-stream-security[]
|
|
|
|
For example, `my-data-stream` consists of two backing indices:
|
|
`.ds-my-data-stream-2099.03.07-000001` and
|
|
`.ds-my-data-stream-2099.03.08-000002`.
|
|
|
|
A user is granted the `read` privilege to `my-data-stream`.
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"names" : [ "my-data-stream" ],
|
|
"privileges" : [ "read" ]
|
|
}
|
|
--------------------------------------------------
|
|
// NOTCONSOLE
|
|
|
|
Because the user is automatically granted the same privileges to the stream's
|
|
backing indices, the user can retrieve a document directly from
|
|
`.ds-my-data-stream-2099.03.08-000002`:
|
|
|
|
////
|
|
[source,console]
|
|
----
|
|
PUT my-index/_doc/2
|
|
{
|
|
"my-field": "foo"
|
|
}
|
|
----
|
|
////
|
|
|
|
[source,console]
|
|
----
|
|
GET .ds-my-data-stream-2099.03.08-000002/_doc/2
|
|
----
|
|
// TEST[continued]
|
|
// TEST[s/.ds-my-data-stream-2099.03.08-000002/my-index/]
|
|
|
|
Later `my-data-stream` <<manually-roll-over-a-data-stream,rolls over>>. This
|
|
creates a new backing index: `.ds-my-data-stream-2099.03.09-000003`. Because the
|
|
user still has the `read` privilege for `my-data-stream`, the user can retrieve
|
|
documents directly from `.ds-my-data-stream-2099.03.09-000003`:
|
|
|
|
[source,console]
|
|
----
|
|
GET .ds-my-data-stream-2099.03.09-000003/_doc/2
|
|
----
|
|
// TEST[continued]
|
|
// TEST[s/.ds-my-data-stream-2099.03.09-000003/my-index/]
|
|
|
|
[[index-alias-privileges]]
|
|
==== Alias privileges
|
|
|
|
Use <<privileges-list-indices,index privileges>> to control access to an
|
|
<<aliases,alias>>. Privileges on an index or data stream do not grant privileges
|
|
on its aliases. For information about managing aliases, see <<aliases>>.
|
|
|
|
IMPORTANT: Don't use <<filter-alias,filtered aliases>> in place of
|
|
<<document-level-security,document level security>>. {es} doesn't always apply
|
|
alias filters.
|
|
|
|
For example, the `current_year` alias points only to the `2015` index. A user is
|
|
granted the `read` privilege for the `2015` index.
|
|
|
|
[source,js]
|
|
----
|
|
{
|
|
"names" : [ "2015" ],
|
|
"privileges" : [ "read" ]
|
|
}
|
|
----
|
|
// NOTCONSOLE
|
|
|
|
When the user attempts to retrieve a document from the `current_year` alias,
|
|
{es} rejects the request.
|
|
|
|
[source,console]
|
|
----
|
|
GET current_year/_doc/1
|
|
----
|
|
// TEST[s/^/PUT 2015\n{"aliases": {"current_year": {}}}\nPUT 2015\/_doc\/1\n{}\n/]
|
|
|
|
To retrieve documents from `current_year`, the user must have the `read` index
|
|
privilege for the alias.
|
|
|
|
[source,js]
|
|
----
|
|
{
|
|
"names" : [ "current_year" ],
|
|
"privileges" : [ "read" ]
|
|
}
|
|
----
|
|
// NOTCONSOLE
|