#: # cluster: # - '' # indices: # '': # '': # - '' # _dls_: '' # _fls_: # - '' # - '' # ---------------------- ARTEGIC ------------------------- # Allows everything # but not changes to searchguard config/index sg_abteilung_aspit: cluster: - UNLIMITED indices: '*': '*': - UNLIMITED tenants: aspit_tenant: RW test_tenant_ro: RW # Read all, but no write permissions sg_abteilung_main: cluster: - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ _dls_: '{"term" : {"_type" : "secure"}}' _fls_: - 'message' - '_type' tenants: main_tenant: RW support_tenant: RO # Read all, but no write permissions sg_abteilung_support: cluster: - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ tenants: support_tenant: RW main_tenant: RO # ---------------------- ARTEGIC ------------------------- # When a user make a request to elasticsearch then the following roles will be evaluated to see if the user has # permissions for the request. A request is always associated with an action and is executed against and index (or alias) # and a type. If a request is executed against all indices (or all types) then the asterix ('*') is needed. # Every role a user has will be examined if it allows the action against an index (or type). At least one role must match # for the request to be successful. If no role match then the request will be denied. Currently a match must happen within # one single role - that means that permissions can not span multiple roles. # For , and simple wildcards are possible. # A asterix (*) will match any character sequence (or an empty sequence) # A question mark (?) will match any single character (but NOT empty character) # Example: '*my*index' will match 'my_first_index' as well as 'myindex' but not 'myindex1' # Example: '?kibana' will match '.kibana' but not 'kibana' # Note: You cannot have a dot (.) in the , or name/wildcard # For , and are also regular expressions possible. # You have to pre- and apend a '/' to use regex instead of simple wildcards # '//' # Example: '/\S*/' will match any non whitespace characters # Note: You cannot have a dot (.) in the , or regex # Use \S instead # See https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html # DLS (Document level security) - NOT FREE FOR COMMERCIAL # Install https://github.com/floragunncom/search-guard-module-dlsfls # Per Index you can define a DLS query # If more than one DLS query match they will be OR'ed # FLS (Field level security) - NOT FREE FOR COMMERCIAL # Per Index you can define a FLS fields # If more than one FLS config match the field will be appended # Install https://github.com/floragunncom/search-guard-module-dlsfls # Kibana multitenancy - NOT FREE FOR COMMERCIAL # Per role you can define on ore more tenants # https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md # Default role for all users (including anonymous) sg_public: cluster: - cluster:monitor/main - CLUSTER_COMPOSITE_OPS_RO # Allows everything # but not changes to searchguard config/index sg_all_access: cluster: - UNLIMITED indices: '*': '*': - UNLIMITED tenants: adm_tenant: RW test_tenant_ro: RW # Read all and monitor, but no write permissions sg_readonly_and_monitor: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - INDICES_ALL # Read all, but no write permissions sg_readall: cluster: - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ # For users which use kibana sg_kibana: cluster: - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ '?kibana': '*': - INDICES_ALL # For the kibana server sg_kibana_server: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS indices: '?kibana': '*': - INDICES_ALL # For logstash and beats sg_logstash: cluster: - indices:admin/template/get - indices:admin/template/put - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS indices: '*': '*': - CRUD - CREATE_INDEX # Allows each user to access own named index sg_own_index: cluster: - CLUSTER_COMPOSITE_OPS indices: '${user_name}': '*': - INDICES_ALL sg_readonly_dlsfls: cluster: - CLUSTER_COMPOSITE_OPS_RO indices: '/\S*/': '*': - READ _dls_: '{"term" : {"_type" : "legends"}}' _fls_: - 'aaa' - 'bbb' sg_kibana_testindex: cluster: - CLUSTER_COMPOSITE_OPS_RO indices: 'test*': '*': - READ - indices:admin/mappings/fields/get* '?kibana': '*': - INDICES_ALL tenants: test_tenant_rw: RW test_tenant_ro: RO # Examples #sg_role_starfleet: # cluster: # - CLUSTER_COMPOSITE_OPS # indices: # sf: # ships: # - READ # public: # - INDICES_ALL # students: # - READ # alumni: # - READ # 'pub*': # '*': # - READ # tenants: # enterprise_tenant: RW # test_tenant_ro: RW #sg_role_starfleet_captains: # indices: # sf: # '*': # - CRUD # pub*: # '*': # - CRUD # cluster: # - 'cluster:monitor*' # - CLUSTER_COMPOSITE_OPS # tenants: # command_tenant: RW