The document is here.
What does "restricted indices" meas in "allow_restricted_indices" params?
Hi @LoadingZhang,
Restricted indices (currently only
.security*
) are special internal indices that require setting theallow_restricted_indices
flag on every index permission that covers them. If this flag isfalse
(default) the permission will not cover these and actions against them will not be authorized.
The security index is used by the security module to provide security features for ES.
When you define index privilege you can use allow_restricted_indices
flag to authorize the user access to restricted indices.
Hope this helps.
Thanks and Regards,
Yogesh Gaikwad
Thanks for reply.
I hope we can customize restricted indices in the future.
Restricted indices are an internal structure of Elasticsearch and shouldn't affect the way you interact with it. Can you help us understand why you'd want that? How is the current implementation limiting you in any way and what would you like to customize regarding restricted indices?
For example:
I assign privileges of index_*
to role A
, but I don't want A
to access index_special*
.
I can set restricted indices
params to do it.
"index" : [
{
"names": [ "index_*"],
"privileges": [ "all" ],
"restricted_indices": ["index_special*"]
}
]
Hi,
This is not what the parameter allow_restricted_indices
is about, and we do not have any plans to change it to fit this use case.
You can , however, fit your use case of
assign privileges of
index_*
to roleA
, but I don't wantA
to accessindex_special*
with a regular expression and a name pattern of /index_~(special@)/
Hi @LoadingZhang,
What @ikakavas mentioned is true and the pattern used for your use case, Elasticsearch uses Lucene automaton and regex to match the index name pattern that you configure in the role. See documentation for further details: https://lucene.apache.org/core/7_0_1/core/org/apache/lucene/util/automaton/RegExp.html that might help you.
Regards,
Yogesh Gaikwad
Thanks @Yogesh_Gaikwad @ikakavas.
I will try the way to exclude indices first(though a little troublesome).
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.