Role privileges issue in elasticserach

stack-security

(B S) #1

Hi,
I have assigned the privilege monitor to a role in elasticserach . As provided in the documentation of elasticsearch the monitor privilege - Can access all cluster read-only operations, like cluster health and settings etc.
The _cluster/settings gets the cluster settings. I want to block the user having monitor privilege from accessing the above API. .
Please let me know how i can block the privilege monitor from accessing the details present inside _cluster/settings.

Thanks in Advance.


(Yogesh Gaikwad) #2

Hi @B123,

Cluster settings (persistent and transient) are queried from the cluster state.
So if you want to block user from having a monitor privilege just on _cluster/settings but have access to cluster state would not be possible.
To block user from accessing cluster state (including cluster/settings) you can create a custom role:

POST /_xpack/security/role/custom_role '{ "cluster": [ "cluster:monitor/task", "cluster:monitor/health", "cluster:monitor/nodes/*", "cluster:monitor/tasks/*", "cluster:monitor/main", "cluster:monitor/stats", "cluster:monitor/allocation/*", "cluster:monitor/remote/*" ] }'

Note it does not have privilege: cluster:monitor/state

Or you could use pre-built role monitoring_user

You will need to see what version of ES you are on and then decide on the privileges list.

Hope this is helpful.

Regards,
Yogesh Gaikwad


(system) closed #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.