What does "restricted indices" means in Security:Has privileges API?

The document is here.
What does "restricted indices" meas in "allow_restricted_indices" params?

Hi @LoadingZhang,

Restricted indices (currently only .security* ) are special internal indices that require setting the allow_restricted_indices flag on every index permission that covers them. If this flag is false (default) the permission will not cover these and actions against them will not be authorized.

The security index is used by the security module to provide security features for ES.
When you define index privilege you can use allow_restricted_indices flag to authorize the user access to restricted indices.
Hope this helps.

Thanks and Regards,
Yogesh Gaikwad

Thanks for reply.
I hope we can customize restricted indices in the future.

Restricted indices are an internal structure of Elasticsearch and shouldn't affect the way you interact with it. Can you help us understand why you'd want that? How is the current implementation limiting you in any way and what would you like to customize regarding restricted indices?

For example:
I assign privileges of index_* to role A, but I don't want A to access index_special*.
I can set restricted indices params to do it.

"index" : [
    {
      "names": [ "index_*"],
      "privileges": [ "all" ],
      "restricted_indices": ["index_special*"]
    }
  ]

Hi,

This is not what the parameter allow_restricted_indices is about, and we do not have any plans to change it to fit this use case.

You can , however, fit your use case of

assign privileges of index_* to role A , but I don't want A to access index_special*

with a regular expression and a name pattern of /index_~(special@)/

Hi @LoadingZhang,

What @ikakavas mentioned is true and the pattern used for your use case, Elasticsearch uses Lucene automaton and regex to match the index name pattern that you configure in the role. See documentation for further details: https://lucene.apache.org/core/7_0_1/core/org/apache/lucene/util/automaton/RegExp.html that might help you.

Regards,
Yogesh Gaikwad

Thanks @Yogesh_Gaikwad @ikakavas.:smiley:
I will try the way to exclude indices first(though a little troublesome).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.