forked from dotSlashLu/search-guard
-
Notifications
You must be signed in to change notification settings - Fork 0
/
searchguard_config_example_1.yml
83 lines (71 loc) · 3.35 KB
/
searchguard_config_example_1.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
### Example 1
# No SSL/TLS at all
# No XFF
# SettingsBasedAuthenticationBackend with caching enabled
# SettingsBasedAuthorizator with caching enabled
# HTTPBasicAuthenticator with sessions turned off
# three sample users: spock, admin, michaeljackson with simple plaintext passwords and some roles
# one simple readonly actionrequestfilter
#####################################################
# Settings based authentication (define users and password directly here in the settings. Note: this is per node)
searchguard.authentication.settingsdb.user.spock: vulcan
searchguard.authentication.settingsdb.user.admin: secret
searchguard.authentication.settingsdb.user.michaeljackson: neverland
#####################################################
#####################################################
# Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)
searchguard.authentication.authorization.settingsdb.roles.spock: ["kolinahr","starfleet","command"]
searchguard.authentication.authorization.settingsdb.roles.admin: ["root"]
searchguard.authentication.authorization.settingsdb.roles.michaeljackson: ["kingofpop","superstar"]
#####################################################
#############################################################################################
#Below here you configure what authenticated and authorized users are allowed to do (or not)#
#This maps to the acl defined in the searchguard configuration index #
#############################################################################################
# Configure the actionrequestfilter to allow or forbid action
searchguard.actionrequestfilter.names: ["readonly"]
searchguard.actionrequestfilter.readonly.allowed_actions: ["indices:data/read/*", "*monitor*"]
searchguard.actionrequestfilter.readonly.forbidden_actions: ["cluster:*", "indices:admin*"]
curl -XPUT 'http://localhost:9200/searchguard/ac/ac?pretty' -d '
{"acl": [
{
"__Comment__": "Default is to execute all filters",
"filters_bypass": [],
"filters_execute": ["*"]
},
{
"__Comment__": "Any authenticated user do anything on the 'public' index - no filter will be executed",
"indices": ["public"],
"filters_bypass": ["*"],
"filters_execute": []
},
{
"__Comment__": "This means any user with the role starfleet or command can do anything with the starfleetinfos index",
"roles" : ["starfleet", "command"],
"indices": ["starfleetinfos"],
"filters_bypass": ["*"],
"filters_execute": []
},
{
"__Comment__": "This means that every requestor (regardless of the requestors hostname and username) which has the root role can do anything",
"roles": [
"root"
],
"filters_bypass": ["*"],
"filters_execute": []
},
{
"__Comment__": "This means that the user michaeljackson can do anything on index popstuff.",
"users": ["michaeljackson"],
"indices": ["popstuff"],
"filters_bypass": ["*"],
"filters_execute": []
},
{
"__Comment__": "This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other",
"users": ["spock"],
"indices": ["popstuff"],
"filters_bypass": [],
"filters_execute": ["actionrequestfilter.readonly"]
}
]}'