RBAC & User Management
Context
Elasticsearch is an indexing database. To follow the best security practices, ESaaS comes with builtin roles to limit by default the privileges.
Use Case
- Query data using the API
- Query data using Kibana
- Index data using the API
- Create or Update Dashboards
- Provide read only access to dashboards
What to do ?
Nothing, the feature is enabled by default.
To update you right:
If you are owner of the service, with AAD groups.
- go on azure portal
- Search for "Azure Active Directory", and select it
- Search for esaas-
<instance_name>-<group type>in "Groups" section - Then add your users
If you don't have AAD groups:
- Open a request in postit, asking for tdp-esaas escalation, and providing the list of the users and their rights.
Description
built-in roles
The following table describes the built-in roles and their permissions :
| Role | Cluster permissions | Index permissions | Tenant/Kibana permissions |
|---|---|---|---|
<instance_name>-reader-role | cluster_composite_ops_ro | get, read and search on <instance_name>* index pattern | kibana_all_read |
<instance_name>-writer_role | cluster_composite_ops | indices_all on <instance_name>* index pattern | kibana_all_write ` |
Cluster-level permission
| Name | Description |
|---|---|
| cluster_all | Grants all cluster permissions. Equates to cluster:*. |
| cluster_monitor | Grants all cluster monitoring permissions. Equates to cluster:monitor/*. |
| cluster_composite_ops_ro | Grants read-only permissions to execute requests like mget, msearch, or mtv, plus permissions to query for aliases. |
| cluster_composite_ops | Same as CLUSTER_COMPOSITE_OPS_RO, but also grants bulk permissions and all aliases permissions. |
| manage_snapshots | Grants permissions to manage snapshots and repositories. |
Index-level permission
| Name | Description |
|---|---|
| indices_all | Grants all permissions on the index. Equates to indices:*. |
| get | Grants permissions to use get and mget actions only. |
| read | Grants read permissions such as search, get field mappings, get, and mget. |
| write | Grants permissions to create and update documents within existing indices. To create new indices, see CREATE_INDEX. |
| delete | Grants permissions to delete documents. |
| crud | Combines the READ, WRITE and DELETE action groups. |
| search | Grants permissions to search documents. Includes SUGGEST. |
| suggest | Grants permissions to use the suggest API. Included in the READ action group. |
| create_index | Grants permissions to create indices and mappings. |
| indices_monitor | Grants permissions to execute all index monitoring actions (e.g. recovery, segments info, index stats, and status). |
| manage_aliases | Grants permissions to manage aliases. |
| manage | Grants all monitoring and administration permissions for indices. |
HOWTO
Manage users by your own
The creation, edition and modification of the roles are managed by ESaas team. The assignment of a user to an existing role is managed by the owner of the service on your side, if the AAD group feature have been asked.
To enable the User management feature:
- please list tenant is relevant. Feel free to consult the multi-tenancy doc
- then, raise a Postit ticket, asking for a tdp-esaas escalation, and precising you want to manage users with AAD groups.
Have full admin access on your cluster
This feature is not supported yet.
Next steps
- Discover the multi tenancy feature here