IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Create or update role API
editCreate or update role API
editCreates a new Kibana role, or updates the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.
The underlying mechanism of enforcing role-based access control is stable, but the APIs for managing the roles are experimental.
Request
editPUT /api/security/role/my_kibana_role
Prerequisite
editTo use the create or update role API, you must have the manage_security
cluster privilege.
Request body
edit-
metadata
-
(Optional, object) In the
metadata
object, keys that begin with_
are reserved for system usage. -
elasticsearch
-
(Optional, object) Elasticsearch cluster and index privileges. Valid keys include
cluster
,indices
, andrun_as
. For more information, see Defining roles. -
kibana
-
(list) Objects that specify the Kibana privileges for the role:
-
base
-
(Optional, list) A base privilege. When specified, the base must be
["all"]
or["read"]
. When thebase
privilege is specified, you are unable to use thefeature
section. "all" grants read/write access to all Kibana features for the specified spaces. "read" grants read-only access to all Kibana features for the specified spaces. -
feature
-
(object) Contains privileges for specific features.
When the
feature
privileges are specified, you are unable to use thebase
section. To retrieve a list of available features, use the features API. -
spaces
-
(list) The spaces to apply the privileges to.
To grant access to all spaces, set to
["*"]
, or omit the value.
-
Response code
edit-
204
- Indicates a successful call.
Examples
editGrant access to various features in all spaces:
PUT /api/security/role/my_kibana_role { "metadata" : { "version" : 1 }, "elasticsearch": { "cluster" : [ ], "indices" : [ ] }, "kibana": [ { "base": [], "feature": { "discover": [ "all" ], "visualize": [ "all" ], "dashboard": [ "all" ], "dev_tools": [ "read" ], "advancedSettings": [ "read" ], "indexPatterns": [ "read" ], "timelion": [ "all" ], "graph": [ "all" ], "apm": [ "read" ], "maps": [ "read" ], "canvas": [ "read" ], "infrastructure": [ "all" ], "logs": [ "all" ], "uptime": [ "all" ] }, "spaces": [ "*" ] } ] }
Grant dashboard-only access to only the Marketing space:
PUT /api/security/role/my_kibana_role { "metadata" : { "version" : 1 }, "elasticsearch": { "cluster" : [ ], "indices" : [ ] }, "kibana": [ { "base": [], "feature": { "dashboard": ["read"] }, "spaces": [ "marketing" ] } ] }
Grant full access to all features in the Default space:
PUT /api/security/role/my_kibana_role { "metadata" : { "version" : 1 }, "elasticsearch": { "cluster" : [ ], "indices" : [ ] }, "kibana": [ { "base": ["all"], "feature": { }, "spaces": [ "default" ] } ] }
Grant different access to different spaces:
PUT /api/security/role/my_kibana_role { "metadata" : { "version" : 1 }, "elasticsearch": { "cluster" : [ ], "indices" : [ ] }, "kibana": [ { "base": [], "feature": { "discover": ["all"], "dashboard": ["all"] }, "spaces": [ "default" ] }, { "base": ["read"], "spaces": [ "marketing", "sales" ] } ] }
Grant access to Kibana and Elasticsearch:
PUT /api/security/role/my_kibana_role { "metadata" : { "version" : 1 }, "elasticsearch": { "cluster" : [ "all" ], "indices" : [ { "names" : [ "index1", "index2" ], "privileges" : [ "all" ], "field_security" : { "grant" : [ "title", "body" ] }, "query" : "{\"match\": {\"title\": \"foo\"}}" } ] }, "kibana": [ { "base": ["all"], "feature": { }, "spaces": [ "default" ] } ] }