From version 5.0 onward, Shield is part of X-Pack. For more information, see Securing the Elastic Stack.
« Reference Shield Settings »
Elastic Docs Shield Reference [2.2] Reference

Privileges

edit

Privileges

edit

This section lists the privileges that you can assign to a role.

Cluster Privileges

edit

all

All cluster administration operations, like snapshotting, node shutdown/restart, settings update or rerouting

monitor

All cluster read-ony operations, like cluster health & state, hot threads, node info, node & cluster stats, snapshot/restore status, pending cluster tasks

manage_shield

All Shield related operations (currently only exposing an API for clearing the realm caches)

Indices Privileges

edit

all

Any action on an index

manage

All monitor privileges plus index administration (aliases, analyze, cache clear, close, delete, exists, flush, mapping, open, optimize, refresh, settings, search shards, templates, validate, warmers)

monitor

All actions, that are required for monitoring and read-only (recovery, segments info, index stats & status)

data_access

A shortcut of all of the below privileges

crud

A shortcut of read and write privileges

read

Read only access to actions (count, explain, get, exists, mget, get indexed scripts, more like this, multi percolate/search/termvector), percolate, scroll, clear_scroll, search, suggest, tv)

search

All of suggest and executing an arbitrary search request (including multi-search API)

get

Allow to execute a GET request for a single document or multiple documents via the multi-get API

suggest

Allow to execute the _suggest API

index

Privilege to index and update documents

create_index

Privilege to create an index. A create index request may contain aliases to be added to the index once created. In that case the request requires manage_aliases privilege as well, on both the index and the aliases names.

manage_aliases

Privilege to add and remove aliases, as well as retrieve aliases information. Note that in order to add an alias to an existing index, the manage_aliases privilege is required on the existing index as well as on the alias name

delete

Privilege to delete documents (includes delete by query)

write

Privilege to index, update, delete, delete by query and bulk operations on documents, in addition to delete and put indexed scripts

Run As Privilege

edit

The run_as permission enables an authenticated user to submit requests on behalf of another user. The value can be a user name or a comma-separated list of user names. (You can also specify users as an array of strings or a YAML sequence.) For more information, see Submitting Requests on Behalf of Other Users.

Action Level Privileges

edit

Although rarely needed, you can also assign privileges for specific Elasticsearch actions. This only applies to publicly available indices and cluster actions.

Cluster actions privileges
edit
  • cluster:admin/render/template/search
  • cluster:admin/repository/delete
  • cluster:admin/repository/get
  • cluster:admin/repository/put
  • cluster:admin/repository/verify
  • cluster:admin/reroute
  • cluster:admin/settings/update
  • cluster:admin/snapshot/create
  • cluster:admin/snapshot/delete
  • cluster:admin/snapshot/get
  • cluster:admin/snapshot/restore
  • cluster:admin/snapshot/status
  • cluster:admin/plugin/license/get
  • cluster:admin/plugin/license/delete
  • cluster:admin/plugin/license/put
  • cluster:admin/shield/realm/cache/clear
  • cluster:monitor/health
  • cluster:monitor/nodes/hot_threads
  • cluster:monitor/nodes/info
  • cluster:monitor/nodes/stats
  • cluster:monitor/state
  • cluster:monitor/stats
  • cluster:monitor/task
  • indices:admin/template/delete
  • indices:admin/template/get
  • indices:admin/template/put

While indices template actions typically relate to indices, they are categorized under cluster actions to avoid potential security leaks. For example, having one user define a template that matches another user’s index.

Indices Actions Privileges
edit
  • indices:admin/aliases
  • indices:admin/aliases/exists
  • indices:admin/aliases/get
  • indices:admin/analyze
  • indices:admin/cache/clear
  • indices:admin/close
  • indices:admin/create
  • indices:admin/delete
  • indices:admin/get
  • indices:admin/exists
  • indices:admin/flush
  • indices:admin/mapping/put
  • indices:admin/mappings/fields/get
  • indices:admin/mappings/get
  • indices:admin/open
  • indices:admin/optimize
  • indices:admin/refresh
  • indices:admin/settings/update
  • indices:admin/shards/search_shards
  • indices:admin/template/delete
  • indices:admin/template/get
  • indices:admin/template/put
  • indices:admin/types/exists
  • indices:admin/upgrade
  • indices:admin/validate/query
  • indices:admin/warmers/delete
  • indices:admin/warmers/get
  • indices:admin/warmers/put
  • indices:monitor/recovery
  • indices:monitor/segments
  • indices:monitor/settings/get
  • indices:monitor/shard_stores
  • indices:monitor/stats
  • indices:monitor/upgrade
  • indices:data/read/count
  • indices:data/read/exists
  • indices:data/read/explain
  • indices:data/read/field_stats
  • indices:data/read/get
  • indices:data/read/mget
  • indices:data/read/mpercolate
  • indices:data/read/msearch
  • indices:data/read/mtv
  • indices:data/read/percolate
  • indices:data/read/script/get
  • indices:data/read/scroll
  • indices:data/read/scroll/clear
  • indices:data/read/search
  • indices:data/read/suggest
  • indices:data/read/tv
  • indices:data/write/bulk
  • indices:data/write/delete
  • indices:data/write/index
  • indices:data/write/script/delete
  • indices:data/write/script/put
  • indices:data/write/update
« Reference Shield Settings »