Security privileges

--- title: Security privileges tags: Kibana --- # Security privileges (Kibana) 在kibana中可以替你的 role 進行設定 [官方文件](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html) ## cluster privileges |參數|說明| |--|--| |`all` | All cluster administration operations, like snapshotting, node shutdown/restart, settings update, rerouting, or managing users and roles. | |---|---| |`create_snapshot`|1.create snapshots for existing repositories 2.read details on exsting repositories and snapshot | |`monitor_snapshot`| read details on exsting repositories and snapshot | |---|---| |`monitor` | All cluster read-only operations： 1.cluster health 2.node /cluster info/stats< 3.hot threads 4.pending cluster tasks.| |`monitor_transform` |All read-only operations related to transforms | |`monitor_ml` |All read-only machine learning operations | |`monitor_rollup` | All read-only rollup operations： 1.viewing the list of historical and currently running rollup jobs and their capabilities.| |`monitor_watcher` | All read-only watcher operations, 1.getting a watch 2.watcher stats| |---|---| |`manage`|基於`monitor`再加上一些cluster operation的功能： 1.snapshotting 2.updating settings 3.rerouting 此設定並不包含security management | |`manage_api_key` |All security-related operations on Elasticsearch API keys： 1.creating new API keys 2.retrieving information about API keys 3.invalidating API keys | |`manage_ccr` |All **cross-cluster replication** operations related to managing follower indices and auto-follow patterns. This privilege is necessary only on clusters that contain follower indices. | |`manage_transform` | All operations related to managing transforms.| |`manage_ilm` | All index lifecycle management operations | |`manage_index_templates` |All operations on index templates. | |`manage_ingest_pipelines` |All operations on ingest node pipelines. | |`manage_ml` |All machine learning operations | |`manage_own_api_key` |All security-related operations on Elasticsearch API keys that are owned by the current authenticated user | |`manage_pipeline` |All operations on ingest pipelines. | |`manage_rollup` |All rollup operations | |`manage_saml`|Enables the use of internal Elasticsearch APIs to initiate and manage SAML authentication on behalf of other users. | |`manage_security` |All security-related operations such as CRUD operations on users and roles and cache clearing. | |`manage_token` |All security-related operations on tokens that are generated by the Elasticsearch Token Service. | |`manage_watcher` |All watcher operations, such as putting watches, executing, activate or acknowledging.| |---|---| |`read_ccr` |All read-only cross-cluster replication operations | |`read_ilm` |All read-only index lifecycle management operations | |`transport_client` |All privileges necessary for a transport client to connect. | ## indices privileges |參數|說明| |--|--| |`all` | All action on an index. | |---|---| | `create`|- Privilege to index documents - grants access to the update mapping action. This privilege does not restrict the index operation to the creation of documents but instead **restricts API use to the index API**. The index API **allows** a user to overwrite a previously indexed document. See the create_doc privilege for an alternative.| |`create_doc` |- Privilege to index documents. - grants access to the update mapping action. - However, it does not enable a user to update existing documents.| |`create_index` |- Privilege to create an index. - the request requires the **manage privilege as well**, on both the index and the aliases names.| |`delete` | Privilege to delete document. | | `delete_index` |Privilege to delete an index. | | `index` |Privilege to index and update documents. Also grants access to the update mapping action. | |--|--| | `manage` |All monitor privileges plus index administration | | `manage_follow_index` |All actions that are required to manage the lifecycle of a follower index, | | `manage_ilm` |All index lifecycle management operations relating to managing the execution of policies of an index | | `manage_leader_index` |- All actions that are required to manage the lifecycle of a leader index, which includes forgetting a follower. - This privilege is necessary only on clusters that contain leader indices.| |`monitor` |All actions that are required for monitoring | |--|--| |`read` |Read-only access to actions| |`read_cross_cluster` |Read-only access to the search action from a remote cluster.| |`view_index_metadata` |Read-only access to index metadata | |`write` |Privilege to perform all write operations to documents|