apiVersion: v1 kind: ConfigMap metadata: name: es-searchguard-config data: sg_action_groups.yml: |- --- UNLIMITED: readonly: true permissions: - "*" ###### INDEX LEVEL ###### INDICES_ALL: readonly: true permissions: - "indices:*" # for backward compatibility ALL: readonly: true permissions: - INDICES_ALL MANAGE: readonly: true permissions: - "indices:monitor/*" - "indices:admin/*" CREATE_INDEX: readonly: true permissions: - "indices:admin/create" - "indices:admin/mapping/put" MANAGE_ALIASES: readonly: true permissions: - "indices:admin/aliases*" # for backward compatibility MONITOR: readonly: true permissions: - INDICES_MONITOR INDICES_MONITOR: readonly: true permissions: - "indices:monitor/*" DATA_ACCESS: readonly: true permissions: - "indices:data/*" - CRUD WRITE: readonly: true permissions: - "indices:data/write*" - "indices:admin/mapping/put" READ: readonly: true permissions: - "indices:data/read*" - "indices:admin/mappings/fields/get*" DELETE: readonly: true permissions: - "indices:data/write/delete*" CRUD: readonly: true permissions: - READ - WRITE SEARCH: readonly: true permissions: - "indices:data/read/search*" - "indices:data/read/msearch*" - SUGGEST SUGGEST: readonly: true permissions: - "indices:data/read/suggest*" INDEX: readonly: true permissions: - "indices:data/write/index*" - "indices:data/write/update*" - "indices:admin/mapping/put" - "indices:data/write/bulk*" GET: readonly: true permissions: - "indices:data/read/get*" - "indices:data/read/mget*" ###### CLUSTER LEVEL ###### CLUSTER_ALL: readonly: true permissions: - "cluster:*" CLUSTER_MONITOR: readonly: true permissions: - "cluster:monitor/*" CLUSTER_COMPOSITE_OPS_RO: readonly: true permissions: - "indices:data/read/mget" - "indices:data/read/msearch" - "indices:data/read/mtv" - "indices:data/read/coordinate-msearch*" - "indices:admin/aliases/exists*" - "indices:admin/aliases/get*" - "indices:data/read/scroll" CLUSTER_COMPOSITE_OPS: readonly: true permissions: - "indices:data/write/bulk" - "indices:admin/aliases*" - "indices:data/write/reindex" - CLUSTER_COMPOSITE_OPS_RO MANAGE_SNAPSHOTS: readonly: true permissions: - "cluster:admin/snapshot/*" - "cluster:admin/repository/*" sg_config.yml: |- --- searchguard: dynamic: # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently #filtered_alias_mode: warn kibana: server_username: kibanaserver #index: '.kibana' multitenancy_enabled: true do_not_fail_on_forbidden: true http: anonymous_auth_enabled: true xff: enabled: false authc: basic_internal_auth_domain: http_enabled: true transport_enabled: true order: 1 http_authenticator: type: basic challenge: true authentication_backend: type: intern clientcert_auth_domain: http_enabled: false transport_enabled: false order: 2 http_authenticator: type: clientcert config: username_attribute: cn #optional, if omitted DN becomes username challenge: false authentication_backend: type: noop sg_internal_users.yml: |- --- # This is the internal user database # The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh #password is: admin riadmin: readonly: true hash: $2y$12$6.xlY/vhvMogkz7fygLn7ezA4yPwPvLMHQVz.JZY8a03vyr8KwjC2 roles: - sg_all_access #password is: logstash rilogstash: readonly: true hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2 roles: - logstash #password is: kibanaserver kibanaserver: readonly: true hash: $2y$12$jA6kNn/qxHhUBMtqCTGMj.GiHGHZLlMitrsbGgqw2MCMO27LUlukS #password is: readall readall: hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2 roles: - readall sg_roles_mapping.yml: |- --- # In this file users, backendroles and hosts can be mapped to Search Guard roles. # Permissions for Search Guard roles are configured in sg_roles.yml sg_all_access: readonly: true backendroles: - admin sg_logstash: backendroles: - logstash sg_kibana_server: readonly: true users: - kibanaserver sg_kibana_user: backendroles: - kibanauser sg_readall: readonly: true backendroles: - readall sg_manage_snapshots: readonly: true backendroles: - snapshotrestore sg_own_index: users: - '*' sg_roles.yml: |- --- sg_all_access: readonly: true cluster: - UNLIMITED indices: '*': '*': - UNLIMITED tenants: admin_tenant: RW # Read all, but no write permissions sg_readall: readonly: true cluster: - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ ri_client: cluster: - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - indices:data/read/field_caps* # Read all and monitor, but no write permissions sg_readall_and_monitor: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ # For users which use kibana, access to indices must be granted separately sg_kibana_user: readonly: true cluster: - INDICES_MONITOR - CLUSTER_COMPOSITE_OPS indices: '?kibana': '*': - MANAGE - INDEX - READ - DELETE '?kibana-6': '*': - MANAGE - INDEX - READ - DELETE '*': '*': - indices:data/read/field_caps* # For the kibana server sg_kibana_server: readonly: true cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS - cluster:admin/xpack/monitoring* - indices:admin/template* indices: '?kibana': '*': - INDICES_ALL '?kibana-6': '*': - INDICES_ALL '?reporting*': '*': - INDICES_ALL '?monitoring*': '*': - INDICES_ALL # For logstash and beats sg_logstash: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS - indices:admin/template/get - indices:admin/template/put indices: 'logstash-*': '*': - CRUD - CREATE_INDEX '*beat*': '*': - CRUD - CREATE_INDEX # Allows adding and modifying repositories and creating and restoring snapshots sg_manage_snapshots: cluster: - MANAGE_SNAPSHOTS indices: '*': '*': - "indices:data/write/index" - "indices:admin/create" # Allows each user to access own named index sg_own_index: cluster: - CLUSTER_COMPOSITE_OPS indices: '${user_name}': '*': - INDICES_ALL ### X-Pack COMPATIBILITY sg_xp_monitoring: readonly: true indices: '?monitor*': '*': - INDICES_ALL sg_xp_alerting: readonly: true cluster: - indices:data/read/scroll - cluster:admin/xpack/watcher* - cluster:monitor/xpack/watcher* indices: '?watches*': '*': - INDICES_ALL '?watcher-history-*': '*': - INDICES_ALL '?triggered_watches': '*': - INDICES_ALL '*': '*': - READ - indices:admin/aliases/get sg_xp_machine_learning: readonly: true cluster: - cluster:admin/persistent* - cluster:internal/xpack/ml* - indices:data/read/scroll* - cluster:admin/xpack/ml* - cluster:monitor/xpack/ml* indices: '*': '*': - READ - indices:admin/get* '?ml-*': '*': - "*"