Limit a role and API key privledges

alongaks · June 13, 2023, 2:38pm

Hello,

I have a use case for creating a 'stack maintenance' user that will be called up with Ansible to perform the cluster.routing.allocation.enable action to limit shard allocation before Elasticsearch is stopped and other maintenance tasks completed/run:

curl -k -X PUT https://hostname:9200/_cluster/settings -H 'Content-Type: application/json' -H 'Authorization: ApiKey [encoded]' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'

This works as expected from the standard command line above. I will work on testing it with Ansible.

Question is, can the role assigned/user API key configured Cluster privileges 'cluster:admin/settings/update' be further limited to only allow the assigned role on the user/user's API key the privs to touch only cluster.routing.allocation.enable setting?

Having the privs for cluster:admin/settings/update is still powerful for what will be used as a 'maintenance' account.

Yang_Wang · June 14, 2023, 12:26am

No, currently this is not possible.

alongaks · June 14, 2023, 12:29pm

Ok, thanks for confirming!

system · July 12, 2023, 12:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
401 after updating API Key role descriptors Elasticsearch elastic-stack-security , language-clients	9	854	April 13, 2023
Limit privileges for ElasticSearch Service API Key Elasticsearch elastic-stack-security	1	286	March 8, 2022
[7.15.1] Allow GET _security/user avoiding permission bloat Elasticsearch elastic-stack-security	3	462	January 4, 2022
Manage_security Cluster privilege without role settings Elasticsearch elastic-stack-security	3	1142	October 23, 2019
Use roles instead of ApiKey for Search Applications Elastic Search elastic-app-search	13	68	November 20, 2024

Limit a role and API key privledges

Related topics