Configuring Role-based Access Control

Shield introduces the concept of action authorization to Elasticsearch. Action authorization restricts the actions users can execute on the cluster. Shield implements authorization as Role Based Access Control (RBAC), where all actions are restricted by default. Users are associated with roles that define a set of actions that are allowed for those users.

Privileges are actions or a set of actions that users may execute in Elasticsearch. For example, the ability to run a query is a privilege.

A permission is a set of privileges associated with one or more secured objects. For example, a permission could allow querying or reading all documents of index i1. There are two types of secured objects in Elasticsearch - cluster and indices. Cluster permissions grant access to cluster-wide administrative and monitoring actions. Index permissions grant data access, including administrative and monitoring actions on specific indices in the cluster.

A role is a named set of permissions. For example, you could define a role as a logging administrator. The logging administrator is allowed to take all actions on indices named logs-*.

As an administrator, you will need to define the roles that you want to use, then assign users to the roles.