superuser role grants access to everything and the role itself does not use document and field level security.
I think, this is the key point, thank you for explaining that!
Could please clarify, when a role becomes a superuser role?
POST /_xpack/security/role/root
{
"cluster": ["all"], // (1)
"indices": [
{
"names": [
"*" // (2)
],
"privileges": [
"all" // (3)
],
"query": """
{
"template": {
"inline": "{ \"bool\" : { \"should\": [{ \"terms\": { \"user.roles.keyword\": {{#toJson}}_user.roles{{/toJson}} } }, { \"match\": { \"user.username.keyword\": \"{{_user.username}}\" } }] } }"
}
}
"""
}
],
"run_as": ["*"], // (4)
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
(1) does not make the role a superuser
(3) for a single index (e.g. "names":["test"]
) and for all indices (as above) - does not make the role a superuser-role
(4) does not make the role a superuser
Update request:
POST http://localhost:9200/test/t/1009/_update
{"doc":{"random": "111"}}
Response:
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "Can't execute an update request if field or document level security is enabled"
}
],
"type": "security_exception",
"reason": "Can't execute an update request if field or document level security is enabled"
},
"status": 400
}
Log:
[2017-02-08T08:13:06,883][DEBUG][o.e.x.s.a.l.LdapRealm ] [host] authenticated user [sguy], with roles [[Domain Admins, Denied RODC Password Replication Group, root, Domain Users, Administrators, sales]]
So, how can a role be made a superuser role for a particular index?
Thank you!