Loading deploy/config/sg_roles.yml 0 → 100644 +304 −0 Original line number Diff line number Diff line #<sg_role_name>: # cluster: # - '<permission>' # indices: # '<indexname or alias>': # '<type>': # - '<permission>' # _dls_: '<dls query>' # _fls_: # - '<field>' # - '<field>' # When a user make a request to Elasticsearch then the following roles will be evaluated to see if the user has # permissions for the request. A request is always associated with an action and is executed against and index (or alias) # and a type. If a request is executed against all indices (or all types) then the asterix ('*') is needed. # Every role a user has will be examined if it allows the action against an index (or type). At least one role must match # for the request to be successful. If no role match then the request will be denied. Currently a match must happen within # one single role - that means that permissions can not span multiple roles. # For <permission>, <indexname or alias> and <type> simple wildcards and regular expressions are possible. # A asterix (*) will match any character sequence (or an empty sequence) # A question mark (?) will match any single character (but NOT empty character) # Example: '*my*index' will match 'my_first_index' as well as 'myindex' but not 'myindex1' # Example: '?kibana' will match '.kibana' but not 'kibana' # To use a full blown regex you have to pre- and apend a '/' to use regex instead of simple wildcards # '/<java regex>/' # Example: '/\S*/' will match any non whitespace characters # Important: # Index, alias or type names can not contain dots (.) in the <indexname or alias> or <type> expression. # Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys. # Workaround: Just configure something like '?kibana' instead of '.kibana' or 'my?index' instead of 'my.index' # This limitation will likely removed with Search Guard 6 # DLS (Document level security) - NOT FREE FOR COMMERCIAL # http://docs.search-guard.com/v6/document-level-security # FLS (Field level security) - NOT FREE FOR COMMERCIAL # http://docs.search-guard.com/v6/field-level-security # Kibana multitenancy - NOT FREE FOR COMMERCIAL # http://docs.search-guard.com/v6/kibana-multi-tenancy sg_anonymous_role: cluster: - CLUSTER_COMPOSITE_OPS_RO indices: 'public-*': '*': - READ # Allows everything, but no changes to searchguard configuration index sg_all_access: readonly: true cluster: - UNLIMITED indices: '*': '*': - UNLIMITED tenants: admin_tenant: RW # Read all, but no write permissions sg_readall: readonly: true cluster: - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ # Read all and monitor, but no write permissions sg_readall_and_monitor: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ # For users which use kibana, access to indices must be granted separately sg_kibana_user: readonly: true cluster: - INDICES_MONITOR - CLUSTER_COMPOSITE_OPS indices: '?kibana': '*': - MANAGE - INDEX - READ - DELETE '?kibana-6': '*': - MANAGE - INDEX - READ - DELETE '?kibana_*': '*': - MANAGE - INDEX - READ - DELETE '?tasks': '*': - INDICES_ALL '?management-beats': '*': - INDICES_ALL '*': '*': - indices:data/read/field_caps* - indices:data/read/xpack/rollup* - indices:admin/mappings/get* - indices:admin/get # For the kibana server sg_kibana_server: readonly: true cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS - cluster:admin/xpack/monitoring* - indices:admin/template* - indices:data/read/scroll* indices: '?kibana': '*': - INDICES_ALL '?kibana-6': '*': - INDICES_ALL '?kibana_*': '*': - INDICES_ALL '?reporting*': '*': - INDICES_ALL '?monitoring*': '*': - INDICES_ALL '?tasks': '*': - INDICES_ALL '?management-beats*': '*': - INDICES_ALL '*': '*': - "indices:admin/aliases*" # For logstash and beats sg_logstash: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS - indices:admin/template/get - indices:admin/template/put indices: 'logstash-*': '*': - CRUD - CREATE_INDEX '*beat*': '*': - CRUD - CREATE_INDEX # Allows adding and modifying repositories and creating and restoring snapshots sg_manage_snapshots: cluster: - MANAGE_SNAPSHOTS indices: '*': '*': - "indices:data/write/index" - "indices:admin/create" # Allows each user to access own named index sg_own_index: cluster: - CLUSTER_COMPOSITE_OPS indices: '${user_name}': '*': - INDICES_ALL ### X-Pack COMPATIBILITY sg_xp_monitoring: readonly: true cluster: - cluster:monitor/xpack/info - cluster:monitor/main - cluster:admin/xpack/monitoring/bulk indices: '?monitor*': '*': - INDICES_ALL sg_xp_alerting: readonly: true cluster: - indices:data/read/scroll - cluster:admin/xpack/watcher* - cluster:monitor/xpack/watcher* indices: '?watches*': '*': - INDICES_ALL '?watcher-history-*': '*': - INDICES_ALL '?triggered_watches': '*': - INDICES_ALL '*': '*': - READ - indices:admin/aliases/get sg_xp_machine_learning: readonly: true cluster: - cluster:admin/persistent* - cluster:internal/xpack/ml* - indices:data/read/scroll* - cluster:admin/xpack/ml* - cluster:monitor/xpack/ml* indices: '*': '*': - READ - indices:admin/get* '?ml-*': '*': - "*" ### LEGACY ROLES, FOR COMPATIBILITY ONLY ### WILL BE REMOVED IN SG7, DO NOT USE ANYMORE sg_readonly_and_monitor: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ # Make xpack monitoring work sg_monitor: cluster: - cluster:admin/xpack/monitoring/* - cluster:admin/ingest/pipeline/put - cluster:admin/ingest/pipeline/get - indices:admin/template/get - indices:admin/template/put - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS indices: '?monitor*': '*': - INDICES_ALL '?marvel*': '*': - INDICES_ALL '?kibana*': '*': - READ '*': '*': - indices:data/read/field_caps # Make xpack alerting work sg_alerting: cluster: - indices:data/read/scroll - cluster:admin/xpack/watcher/watch/put - cluster:admin/xpack/watcher* - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS indices: '?kibana*': '*': - READ '?watches*': '*': - INDICES_ALL '?watcher-history-*': '*': - INDICES_ALL '?triggered_watches': '*': - INDICES_ALL '*': '*': - READ deploy/config/sg_roles_mapping.yml +5 −1 Original line number Diff line number Diff line Loading @@ -33,3 +33,7 @@ sg_manage_snapshots: sg_own_index: users: - '*' sg_anonymous_role: backendroles: - sg_anonymous_backendrole deploy/docker-compose.es6-1.tmpl.yml +9 −0 Original line number Diff line number Diff line Loading @@ -84,6 +84,11 @@ services: mode: 0600 uid: '1000' gid: '1000' - source: sg-roles target: /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml mode: 0600 uid: '1000' gid: '1000' - source: sg-roles-mapping target: /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml mode: 0600 Loading Loading @@ -155,6 +160,10 @@ configs: name: ${SG_CONFIG_NAME:-sg-config} file: ./config/sg_config.yml sg-roles: name: ${SG_ROLES_NAME:-sg-roles} file: ./config/sg_roles.yml sg-roles-mapping: name: ${SG_ROLES_MAPPING_NAME:-sg-roles-mapping} file: ./config/sg_roles_mapping.yml Loading
deploy/config/sg_roles.yml 0 → 100644 +304 −0 Original line number Diff line number Diff line #<sg_role_name>: # cluster: # - '<permission>' # indices: # '<indexname or alias>': # '<type>': # - '<permission>' # _dls_: '<dls query>' # _fls_: # - '<field>' # - '<field>' # When a user make a request to Elasticsearch then the following roles will be evaluated to see if the user has # permissions for the request. A request is always associated with an action and is executed against and index (or alias) # and a type. If a request is executed against all indices (or all types) then the asterix ('*') is needed. # Every role a user has will be examined if it allows the action against an index (or type). At least one role must match # for the request to be successful. If no role match then the request will be denied. Currently a match must happen within # one single role - that means that permissions can not span multiple roles. # For <permission>, <indexname or alias> and <type> simple wildcards and regular expressions are possible. # A asterix (*) will match any character sequence (or an empty sequence) # A question mark (?) will match any single character (but NOT empty character) # Example: '*my*index' will match 'my_first_index' as well as 'myindex' but not 'myindex1' # Example: '?kibana' will match '.kibana' but not 'kibana' # To use a full blown regex you have to pre- and apend a '/' to use regex instead of simple wildcards # '/<java regex>/' # Example: '/\S*/' will match any non whitespace characters # Important: # Index, alias or type names can not contain dots (.) in the <indexname or alias> or <type> expression. # Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys. # Workaround: Just configure something like '?kibana' instead of '.kibana' or 'my?index' instead of 'my.index' # This limitation will likely removed with Search Guard 6 # DLS (Document level security) - NOT FREE FOR COMMERCIAL # http://docs.search-guard.com/v6/document-level-security # FLS (Field level security) - NOT FREE FOR COMMERCIAL # http://docs.search-guard.com/v6/field-level-security # Kibana multitenancy - NOT FREE FOR COMMERCIAL # http://docs.search-guard.com/v6/kibana-multi-tenancy sg_anonymous_role: cluster: - CLUSTER_COMPOSITE_OPS_RO indices: 'public-*': '*': - READ # Allows everything, but no changes to searchguard configuration index sg_all_access: readonly: true cluster: - UNLIMITED indices: '*': '*': - UNLIMITED tenants: admin_tenant: RW # Read all, but no write permissions sg_readall: readonly: true cluster: - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ # Read all and monitor, but no write permissions sg_readall_and_monitor: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ # For users which use kibana, access to indices must be granted separately sg_kibana_user: readonly: true cluster: - INDICES_MONITOR - CLUSTER_COMPOSITE_OPS indices: '?kibana': '*': - MANAGE - INDEX - READ - DELETE '?kibana-6': '*': - MANAGE - INDEX - READ - DELETE '?kibana_*': '*': - MANAGE - INDEX - READ - DELETE '?tasks': '*': - INDICES_ALL '?management-beats': '*': - INDICES_ALL '*': '*': - indices:data/read/field_caps* - indices:data/read/xpack/rollup* - indices:admin/mappings/get* - indices:admin/get # For the kibana server sg_kibana_server: readonly: true cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS - cluster:admin/xpack/monitoring* - indices:admin/template* - indices:data/read/scroll* indices: '?kibana': '*': - INDICES_ALL '?kibana-6': '*': - INDICES_ALL '?kibana_*': '*': - INDICES_ALL '?reporting*': '*': - INDICES_ALL '?monitoring*': '*': - INDICES_ALL '?tasks': '*': - INDICES_ALL '?management-beats*': '*': - INDICES_ALL '*': '*': - "indices:admin/aliases*" # For logstash and beats sg_logstash: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS - indices:admin/template/get - indices:admin/template/put indices: 'logstash-*': '*': - CRUD - CREATE_INDEX '*beat*': '*': - CRUD - CREATE_INDEX # Allows adding and modifying repositories and creating and restoring snapshots sg_manage_snapshots: cluster: - MANAGE_SNAPSHOTS indices: '*': '*': - "indices:data/write/index" - "indices:admin/create" # Allows each user to access own named index sg_own_index: cluster: - CLUSTER_COMPOSITE_OPS indices: '${user_name}': '*': - INDICES_ALL ### X-Pack COMPATIBILITY sg_xp_monitoring: readonly: true cluster: - cluster:monitor/xpack/info - cluster:monitor/main - cluster:admin/xpack/monitoring/bulk indices: '?monitor*': '*': - INDICES_ALL sg_xp_alerting: readonly: true cluster: - indices:data/read/scroll - cluster:admin/xpack/watcher* - cluster:monitor/xpack/watcher* indices: '?watches*': '*': - INDICES_ALL '?watcher-history-*': '*': - INDICES_ALL '?triggered_watches': '*': - INDICES_ALL '*': '*': - READ - indices:admin/aliases/get sg_xp_machine_learning: readonly: true cluster: - cluster:admin/persistent* - cluster:internal/xpack/ml* - indices:data/read/scroll* - cluster:admin/xpack/ml* - cluster:monitor/xpack/ml* indices: '*': '*': - READ - indices:admin/get* '?ml-*': '*': - "*" ### LEGACY ROLES, FOR COMPATIBILITY ONLY ### WILL BE REMOVED IN SG7, DO NOT USE ANYMORE sg_readonly_and_monitor: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ # Make xpack monitoring work sg_monitor: cluster: - cluster:admin/xpack/monitoring/* - cluster:admin/ingest/pipeline/put - cluster:admin/ingest/pipeline/get - indices:admin/template/get - indices:admin/template/put - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS indices: '?monitor*': '*': - INDICES_ALL '?marvel*': '*': - INDICES_ALL '?kibana*': '*': - READ '*': '*': - indices:data/read/field_caps # Make xpack alerting work sg_alerting: cluster: - indices:data/read/scroll - cluster:admin/xpack/watcher/watch/put - cluster:admin/xpack/watcher* - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS indices: '?kibana*': '*': - READ '?watches*': '*': - INDICES_ALL '?watcher-history-*': '*': - INDICES_ALL '?triggered_watches': '*': - INDICES_ALL '*': '*': - READ
deploy/config/sg_roles_mapping.yml +5 −1 Original line number Diff line number Diff line Loading @@ -33,3 +33,7 @@ sg_manage_snapshots: sg_own_index: users: - '*' sg_anonymous_role: backendroles: - sg_anonymous_backendrole
deploy/docker-compose.es6-1.tmpl.yml +9 −0 Original line number Diff line number Diff line Loading @@ -84,6 +84,11 @@ services: mode: 0600 uid: '1000' gid: '1000' - source: sg-roles target: /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml mode: 0600 uid: '1000' gid: '1000' - source: sg-roles-mapping target: /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml mode: 0600 Loading Loading @@ -155,6 +160,10 @@ configs: name: ${SG_CONFIG_NAME:-sg-config} file: ./config/sg_config.yml sg-roles: name: ${SG_ROLES_NAME:-sg-roles} file: ./config/sg_roles.yml sg-roles-mapping: name: ${SG_ROLES_MAPPING_NAME:-sg-roles-mapping} file: ./config/sg_roles_mapping.yml
