Privileges for built-in roles


(Jagrut Sharma) #1

The reference for privileges is here:
https://www.elastic.co/guide/en/x-pack/5.4/security-privileges.html

Built-in roles have privileges that are not in the reference list. For example, here are two built-in roles. The cluster privileges for 'ingest_admin' role are in the reference list, but the 'cluster:admin/xpack/monitoring/bulk' privilege for 'kibana_system' role is not in the reference. Can somebody please explain why this is the case? Is the reference list of security privileges not comprehensive?

Thanks.

"ingest_admin": {
"cluster": [
"manage_index_templates",
"manage_pipeline"
],
"indices": [],
"metadata": {
"_reserved": true
},
"run_as": [],
"transient_metadata": {
"enabled": true
}
},
"kibana_system": {
"cluster": [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices": [
{
"names": [
".kibana*",
".reporting-*"
],
"privileges": [
"all"
]
}
],
"metadata": {
"_reserved": true
},
"run_as": [],
"transient_metadata": {
"enabled": true
}
}


(Tim Vernum) #2

The bulk monitoring privilege is an action name.
It grants access to a specific internal action. In the original releases of shield this was the only supported way to configure role privileges however it is quite fragile as Elasticsearch changes the internal implementation details for actions within minor releases and this has the potential to break action-based roles without warning.

We no longer document or recommend the use of action names within customer managed roles because we don't want customers to end up with (unexpected) broken roles.


(Jagrut Sharma) #3

Thanks for the clarification, Tim. So then, these internal actions are only on the out-of-the-box roles. User-defined roles should have standard privileges from the list provided here (https://www.elastic.co/guide/en/x-pack/5.4/security-privileges.html).


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.