How to create custom privileges for Elasticsearch x-pack?

Hello everyone,

I'm using ELK stack 6.8, but I want to replace kibana with my own simple ui which will fit better for my case.

My app should contain user management, restrictions for operations (eg some users will be able only to read data from one index, some - from all indexes, some - read and write into indexes), so I want to keep x-pack for elasticsearch.

I've checked x-pack api for elasticsearch X-Pack APIs | Elasticsearch Guide [6.8] | Elastic
and I found that every user role should have a reference to existing privilege from privilege api.
While api is quite clear, body structure sometimes is not, so I have question in this regard:

What are all possible actions values for elasticsearch? From the doc I can see:

actions
(array-of-string) A list of action names that are granted by this privilege. This field must exist and cannot be an empty array.

I've tried to create my own privilege without any permissions

        "no-priv": {
            "application": "kibana-.kibana",
            "name": "no-priv",
            "actions": [
                "some_dummy_action/"
            ],
            "metadata": {}
        },

and then I tried to make a simple search to elasticsearch directly to elasticsearch endpoint
http://localhost:9200/my_index/_search

with this role assigned to new user, but I got error
action [indices:data/read/search] is unauthorized for user [test_user_no_priv]

So, it is obvious, that I have to write "indices:data/read/search" in actions for my custom privelege "no-priv", but where can I find full list of all possible actions?
In default kibana's priveleges I can see different list of actions and probably all of them are managed by x-pack on kibana's side, not on elasticsearch.

In a Role, the Global and Application Privilege parts are for external applications to define, configure and interpret.

For example, a bespoke GUI similar to Kibana may have features like Dashboards. An admin may give access to that Dashboard for some users, but not all. When rendering a GUI page, the GUI application can make Has Privilege API calls to see what parts to render, based on the Application Privileges written into Elasticsearch. Defining, configuring, and interpreting those Application Privileges is external to Elasticsearch.

If you multiplex Application privileges (external GUI) with Index privileges (Elasticsearch) into a single Role, your Application privileges are defined by you, and the Elasticsearch privileges are documented on each Elasticsearch APIs page. I don't think there is a central place to find a mapping of all Elasticsearch privileges to APIs.

To understand the Application Privileges API, you may get more context starting here.

Note, I don't think 6.x is supported. Only 8.x and 7.x are supported. If you create a bespoke GUI, you may want to consider migrating to the latest version of Elasticsearch 8.x first. It is possible the latest Kibana has some features you are looking for, or you can submit enhancement requests.

@Justin_Cranford ok, thanks
I had a doubts, but it is more clear now. Also, I found this long read topic related to my question. I guess it can be useful if anyone will search for similar answer

Btw, my error happened not because of application permissions, but because of my test role didn't have native "read" permission for index. Those native permissions described here

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.