Defining Roles

edit

Roles are defined in the role definition file roles.yml located in CONFIG_DIR/shield. This is a YAML file where each entry defines the unique role name and the cluster and indices permissions associated with it.

The roles.yml file is managed locally by the node and is not managed globally by the cluster. This means that with a typical multi-node cluster, the exact same changes need to be applied on each and every node in the cluster.

A safer approach would be to apply the change on one of the nodes and have the roles.yml distributed/copied to all other nodes in the cluster (either manually or using a configuration management system such as Puppet or Chef).

The following snippet shows an example configuration:

# All cluster rights
# All operations on all indices
admin:
  cluster: all
  indices:
    '*':
      privileges: all

# Monitoring cluster privileges
# All operations on all indices
power_user:
  cluster: monitor
  indices:
    '*':
      privileges: all

# Only read operations on indices
user:
  indices:
    '*':
      privileges: read

# Only read operations on indices named events_*
events_user:
  indices:
    'events_*':
      privileges: read

A valid role name must be at least 1 character and no longer than 30 characters. It must begin with a letter (a-z) or an underscore (_). Subsequent characters can be letters, underscores (_), digits (0-9) or any of the following symbols @, -, . or $

The above example defines these roles:

admin

Has full access (all privileges) on the cluster and full access on all indices in the cluster.

power_user

Has monitoring-only access on the cluster, enabling the user to request cluster metrics, information, and settings, without the ability to update settings. This user also has full access on all indices in the cluster.

user

Cannot update or monitor the cluster. Has read-only access to all indices in the cluster.

events_user

Has read-only access to all indices with the events_ prefix.

See the complete list of available cluster and indices privileges.