How are "applications" supposed to be used in context of the create/update application privileges api?

I'm new to Elasticsearch. We have the need for multiple applications to share the same cluster and restrict indices privileges to those owned by that team.

I see the application api to create/update application privileges in the reference doc. The application name, privilege name, action name appear to be any value we want as long as conforming to naming rules, but there is no context offered as to the use case for creating application privileges.

I'm looking for plain language background on the concept of applications and when they should be used. It might not be applicable to my need but still would like to understand how application definitions should be used. I can find no explanation in the doc or with google. Thanks for your help.

Welcome to our community! :smiley:

Can you clarify what you mean by the applications API? A link would be good, so we are on the same page.

Hi Mark thanks for your reply. I tried posting a link initially but the forum page said pastes are not allowed which is frustrating for long hyperlinks.
Here is the api I'm referring to (typing it all in):

Again looking for background context in how this api should be used. Thanks much. -

Thanks for that, to be honest I have never seen it, so let me see if I can find someone that can help :slight_smile:

You don't want application privileges.

For the use case you have, you almost certainly want to have a "user" per application (or perhaps several users) and grant each user a role that restricts them to the relevant indices, through the "indices" section of the role.

As far as application privileges are concerned, from Security privileges | Elasticsearch Guide [7.12] | Elastic

Application privileges are managed within Elasticsearch and can be retrieved with the has privileges API and the get application privileges API. They do not, however, grant access to any actions or resources within Elasticsearch. Their purpose is to enable applications to represent and store their own privilege models within Elasticsearch roles.

Application privileges are a way for applications that are built on top of Elasticsearch to use Elasticsearch's security model to implement access control for resources that exist within that application. You only want to do that if you are building something that is very tightly integrated with Elasticsearch (e.g. Kibana).

1 Like