github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-25 07:37:19 -04:00
Code Issues Projects Releases Packages Wiki Activity
elasticsearch/docs/reference/security/authorization/document-level-security.asciidoc
James Rodewig 255c9a7f95
[DOCS] Move x-pack docs to docs/reference dir (#99209) 
**Problem:**
For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`. 

**Solution:**
- Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory
- Update doc snippet tests to use security

Rel: https://github.com/elastic/platform-docs-team/issues/208
2023-09-12 14:53:41 -04:00

80 lines
2.1 KiB
Text
Raw Blame History

[role="xpack"]
[[document-level-security]]
=== Document level security
Document level security restricts the documents that users have read access to.
In particular, it restricts which documents can be accessed from document-based
read APIs.
To enable document level security, you use a query to specify the documents that
each role can access. The document `query` is associated with a particular data
stream, index, or wildcard (`*`) pattern and operates in conjunction with the
privileges specified for the data streams and indices.
The specified document `query`:
* Expects the same format as if it was defined in the search request
* Supports <<templating-role-query,templating a role query>> that can access
the details of the currently authenticated user
* Accepts queries written as either string values or nested JSON
* Supports the majority of the {es}
<<query-dsl,Query Domain Specific Language (DSL)>>, with <<field-document-limitations,some limitations>> for field and document level security
IMPORTANT: Omitting the `query` parameter entirely disables document level
security for the respective indices permission entry.
The following role definition grants read access only to documents that
belong to the `click` category within all the `events-*` data streams and indices:
[source,console]
----
POST /_security/role/click_role
{
"indices": [
{
"names": [ "events-*" ],
"privileges": [ "read" ],
"query": "{\"match\": {\"category\": \"click\"}}"
}
]
}
----
You can write this same query using nested JSON syntax:
[source,console]
----
POST _security/role/click_role
{
"indices": [
{
"names": [ "events-*" ],
"privileges": [ "read" ],
"query": {
"match": {
"category": "click"
}
}
}
]
}
----
The following role grants read access only to the documents whose
`department_id` equals `12`:
[source,console]
----
POST /_security/role/dept_role
{
"indices" : [
{
"names" : [ "*" ],
"privileges" : [ "read" ],
"query" : {
"term" : { "department_id" : 12 }
}
}
]
}
----
Reference in a new issue View git blame Copy permalink