EraSearch has role-based access control (RBAC) to let you manage users, roles, and permissions. This page gives a high-level overview of EraSearch's RBAC approach.
The content below is intended for self-hosted EraSearch users looking for conceptual information about EraSearch RBAC. If you're ready to set up and start working with RBAC, visit Setting up RBAC.
RBAC overviewCopyCopied!
In EraSearch's RBAC approach:
- Actors are assigned to roles
- Roles have one or more permissions
- Actors gain permissions by being part of roles
The diagram below shows an example of how EraSearch RBAC works in practice.
In this example, there are two actors: a user and an API key. The user has two roles: Admin user and Limited writer. Through those roles, the user has the permissions to manage security across the database and write data to specific indexes.
The API key has one role – Limited writer – which lets the tool or agent using the API key write to specific indexes.
RBAC termsCopyCopied!
Now that you have a high-level view, here are some more formal definitions of EraSearch's RBAC terms.
actorCopyCopied!
There are two kinds of actors in EraSearch: users and API keys. An RBAC user is someone whose identity has been authenticated by a third party. In EraSearch, users can have zero or more roles.
Tools and agents that cannot prove their identity (for example, Telegraf and Logstash) use API keys to work with EraSearch. API keys can have zero or one role.
permissionCopyCopied!
A permission is something you can do in EraSearch, and it's defined by its resource, action, and scope.
EraSearch uses this syntax to express permissions: resource:action:scope.
Resource is the level at which a permission acts. EraSearch has two resources: index and database. Actors with index resource permissions can do things in one or more specific indexes. Actors with database resource permissions can do things impacting the entire database.
Actions map to specific endpoints in the EraSearch API.
For the index resource, the available actions are read, write, and delete.
For the database resource, the available actions are manage security and monitor.
Scopes are for index resource permissions only, and they limit where actors can do things. For example:
- This permission lets actors write to all indexes:
index:write:* - This permission lets actors write to indexes starting with finance-:
index:write:finance-*
roleCopyCopied!
A role has one permission or a set of permissions, and roles are assigned to actors.
Users with manage security permissions can create custom roles with one or more permissions.
How permissions map to endpointsCopyCopied!
The table below lists permissions and how they map to EraSearch's API endpoints:
| Resource | Action | API endpoint |
|---|---|---|
| Index | Read | GET /_alias |
GET /_alias/{:aliases} | ||
GET /_all/_alias | ||
GET /_all/_aliases | ||
GET /_cat/indices/{:index} | ||
GET /_msearch | ||
GET /_search/scroll | ||
GET /{:index}/_alias | ||
GET /{:index}/_aliases | ||
GET /{:index}/_count | ||
GET /{:index}/_flush | ||
GET /{:index}/_mapping | ||
GET /{:index}/_msearch | ||
GET /{:index}/_search | ||
GET /{:index}/_search/scroll | ||
GET /{:index}/_settings | ||
GET /{:index}/_stats | ||
GET /{:index}/_stats/{:stats} | ||
GET /{:index}/{:type}/_count | ||
GET /{:index}/{:type}/_search | ||
HEAD /_alias/{:aliases} | ||
HEAD /_template/{:index} | ||
HEAD /{:index} | ||
POST /_msearch | ||
POST /_search/scroll | ||
POST /{:index}/_count | ||
POST /{:index}/_msearch | ||
POST /{:index}/_search | ||
POST /{:index}/_search/scroll | ||
POST /{:index}/{:type}/_count | ||
POST /{:index}/{:type}/_search | ||
| Write | POST /_aliases | |
POST /_bulk | ||
POST /{:index}/_bulk | ||
POST /{:index}/_flush | ||
PUT /_template/{:index} | ||
PUT /{:index} | ||
PUT /{:index}/_mapping | ||
| Delete | DELETE /{:index} | |
| Database | Manage security | GET /api_keys |
POST /api_keys | ||
DELETE /api_keys/{id} | ||
GET /role_mappings | ||
POST /role_mappings | ||
PUT /role_mappings | ||
GET /roles | ||
POST /roles | ||
DELETE /roles/{roleId} | ||
GET /roles/{roleId} | ||
PUT /roles/{roleId} | ||
| Monitor | GET /_cat/indices | |
GET /_cat/nodes | ||
GET /_cluster/health/* | ||
GET /_cluster/settings | ||
GET /_cluster/state/metadata/* | ||
GET /_xpack |
NextCopyCopied!
To get started with EraSearch RBAC, visit Setting up RBAC, Using RBAC with Grafana and Azure AD, and Giving RBAC write permissions to tools. For more background information on EraSearch's RBAC approach, visit these articles: