What does "restricted indices" means in Security:Has privileges API?

LoadingZhang · June 11, 2019, 11:46am

The document is here.
What does "restricted indices" meas in "allow_restricted_indices" params?

Yogesh_Gaikwad · June 11, 2019, 11:50pm

Restricted indices (currently only .security* ) are special internal indices that require setting the allow_restricted_indices flag on every index permission that covers them. If this flag is false (default) the permission will not cover these and actions against them will not be authorized.

The security index is used by the security module to provide security features for ES.
When you define index privilege you can use allow_restricted_indices flag to authorize the user access to restricted indices.
Hope this helps.

Thanks and Regards,
Yogesh Gaikwad

LoadingZhang · June 12, 2019, 3:27am

Thanks for reply.
I hope we can customize restricted indices in the future.

ikakavas · June 12, 2019, 6:07am

Restricted indices are an internal structure of Elasticsearch and shouldn't affect the way you interact with it. Can you help us understand why you'd want that? How is the current implementation limiting you in any way and what would you like to customize regarding restricted indices?

LoadingZhang · June 13, 2019, 9:07am

For example:
I assign privileges of index_* to role A, but I don't want A to access index_special*.
I can set restricted indices params to do it.

"index" : [
    {
      "names": [ "index_*"],
      "privileges": [ "all" ],
      "restricted_indices": ["index_special*"]
    }
  ]

ikakavas · June 14, 2019, 2:55pm

Hi,

This is not what the parameter allow_restricted_indices is about, and we do not have any plans to change it to fit this use case.

You can , however, fit your use case of

assign privileges of index_* to role A , but I don't want A to access index_special*

with a regular expression and a name pattern of /index_~(special@)/

Yogesh_Gaikwad · June 17, 2019, 3:51am

Hi @LoadingZhang,

What @ikakavas mentioned is true and the pattern used for your use case, Elasticsearch uses Lucene automaton and regex to match the index name pattern that you configure in the role. See documentation for further details: https://lucene.apache.org/core/7_0_1/core/org/apache/lucene/util/automaton/RegExp.html that might help you.

Regards,
Yogesh Gaikwad

LoadingZhang · June 20, 2019, 3:03am

Thanks @Yogesh_Gaikwad @ikakavas.
I will try the way to exclude indices first(though a little troublesome).

system · July 18, 2019, 3:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.