mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-04-25 23:57:20 -04:00
3b827f6a8c
* Create manage_seaech_connector privilege
* `manage_search_connector` -> `manage_connector` and exclude connector secrets patterns from this privilege
* Add `monitor_connector` privilege
* Update Kibana system privilege to monitor_connector for telemetry
* Rename privilege to 'manage_connector_state'
Since privilege names are often namespaced and used with globs, we want to ensure that if there's a future privilege like `manage_connector_secrets`, that it is not implicitly included in this new privileg's <name>*. By extending the privilege name to include "_state", we better namespace this distinct from any "_secrets" namespace.
* Revert "Rename privilege to 'manage_connector_state'"
This reverts commit 70b89eee76.
After further discussion with the security team, this name change is not needed after all
since the secret management privileges aren't currently prefixed with "manage_"
---------
Co-authored-by: Sean Story <sean.j.story@gmail.com>
158 lines
4 KiB
Text
158 lines
4 KiB
Text
|
|
[role="xpack"]
|
|
[[security-api-get-builtin-privileges]]
|
|
=== Get builtin privileges API
|
|
++++
|
|
<titleabbrev>Get builtin privileges</titleabbrev>
|
|
++++
|
|
|
|
Retrieves the list of <<privileges-list-cluster,cluster privileges>> and
|
|
<<privileges-list-indices,index privileges>> that are
|
|
available in this version of {es}.
|
|
|
|
[[security-api-get-builtin-privileges-request]]
|
|
==== {api-request-title}
|
|
|
|
`GET /_security/privilege/_builtin`
|
|
|
|
|
|
[[security-api-get-builtin-privileges-prereqs]]
|
|
==== {api-prereq-title}
|
|
|
|
* To use this API, you must have the `read_security` cluster privilege
|
|
(or a greater privilege such as `manage_security` or `all`).
|
|
|
|
[[security-api-get-builtin-privileges-desc]]
|
|
==== {api-description-title}
|
|
|
|
This API retrieves the set of cluster and index privilege names that are
|
|
available in the version of {es} that is being queried.
|
|
|
|
To check whether a user has particular privileges, use the
|
|
<<security-api-has-privileges,has privileges API>>.
|
|
|
|
|
|
[[security-api-get-builtin-privileges-response-body]]
|
|
==== {api-response-body-title}
|
|
|
|
The response is an object with two fields:
|
|
|
|
`cluster`:: (array of string) The list of
|
|
<<privileges-list-cluster,cluster privileges>> that are understood by this
|
|
version of {es}.
|
|
|
|
`index`:: (array of string) The list of
|
|
<<privileges-list-indices,index privileges>> that are understood by this version
|
|
of {es}.
|
|
|
|
`remote_cluster`:: (array of string) The list of
|
|
<<roles-remote-cluster-priv, remote_cluster>> privileges that are understood by this version
|
|
of {es}.
|
|
|
|
[[security-api-get-builtin-privileges-example]]
|
|
==== {api-examples-title}
|
|
|
|
The following example retrieves the names of all builtin privileges:
|
|
|
|
[source,console]
|
|
--------------------------------------------------
|
|
GET /_security/privilege/_builtin
|
|
--------------------------------------------------
|
|
|
|
A successful call returns an object with "cluster", "index", and "remote_cluster" fields.
|
|
|
|
[source,console-result]
|
|
--------------------------------------------------
|
|
{
|
|
"cluster" : [
|
|
"all",
|
|
"cancel_task",
|
|
"create_snapshot",
|
|
"cross_cluster_replication",
|
|
"cross_cluster_search",
|
|
"delegate_pki",
|
|
"grant_api_key",
|
|
"manage",
|
|
"manage_api_key",
|
|
"manage_autoscaling",
|
|
"manage_behavioral_analytics",
|
|
"manage_ccr",
|
|
"manage_connector",
|
|
"manage_data_frame_transforms",
|
|
"manage_data_stream_global_retention",
|
|
"manage_enrich",
|
|
"manage_ilm",
|
|
"manage_index_templates",
|
|
"manage_inference",
|
|
"manage_ingest_pipelines",
|
|
"manage_logstash_pipelines",
|
|
"manage_ml",
|
|
"manage_oidc",
|
|
"manage_own_api_key",
|
|
"manage_pipeline",
|
|
"manage_rollup",
|
|
"manage_saml",
|
|
"manage_search_application",
|
|
"manage_search_query_rules",
|
|
"manage_search_synonyms",
|
|
"manage_security",
|
|
"manage_service_account",
|
|
"manage_slm",
|
|
"manage_token",
|
|
"manage_transform",
|
|
"manage_user_profile",
|
|
"manage_watcher",
|
|
"monitor",
|
|
"monitor_connector",
|
|
"monitor_data_frame_transforms",
|
|
"monitor_data_stream_global_retention",
|
|
"monitor_enrich",
|
|
"monitor_inference",
|
|
"monitor_ml",
|
|
"monitor_rollup",
|
|
"monitor_snapshot",
|
|
"monitor_text_structure",
|
|
"monitor_transform",
|
|
"monitor_watcher",
|
|
"none",
|
|
"post_behavioral_analytics_event",
|
|
"read_ccr",
|
|
"read_connector_secrets",
|
|
"read_fleet_secrets",
|
|
"read_ilm",
|
|
"read_pipeline",
|
|
"read_security",
|
|
"read_slm",
|
|
"transport_client",
|
|
"write_connector_secrets",
|
|
"write_fleet_secrets"
|
|
],
|
|
"index" : [
|
|
"all",
|
|
"auto_configure",
|
|
"create",
|
|
"create_doc",
|
|
"create_index",
|
|
"cross_cluster_replication",
|
|
"cross_cluster_replication_internal",
|
|
"delete",
|
|
"delete_index",
|
|
"index",
|
|
"maintenance",
|
|
"manage",
|
|
"manage_data_stream_lifecycle",
|
|
"manage_follow_index",
|
|
"manage_ilm",
|
|
"manage_leader_index",
|
|
"monitor",
|
|
"none",
|
|
"read",
|
|
"read_cross_cluster",
|
|
"view_index_metadata",
|
|
"write"
|
|
],
|
|
"remote_cluster" : [
|
|
"monitor_enrich"
|
|
]
|
|
}
|
|
--------------------------------------------------
|