文档级别安全性
编辑文档级别安全性
编辑文档级别安全性限制了用户读取访问的文档。特别是,它限制了可以从基于文档的读取 API 访问哪些文档。
要启用文档级别安全性,您可以使用查询来指定每个角色可以访问的文档。文档 query 与特定的数据流、索引或通配符 (*) 模式关联,并与为数据流和索引指定的权限一起运作。
指定的文档 query
- 期望与在搜索请求中定义的格式相同
- 支持模板化角色查询,该查询可以访问当前经过身份验证的用户的详细信息
- 接受编写为字符串值或嵌套 JSON 的查询
- 支持大多数 Elasticsearch 查询领域特定语言 (DSL),对于字段和文档级别安全性,有一些限制
完全省略 query 参数将禁用各个索引权限条目的文档级别安全性。
以下角色定义仅授予对所有 events-* 数据流和索引中属于 click 类别的文档的读取访问权限
resp = client.security.put_role(
name="click_role",
indices=[
{
"names": [
"events-*"
],
"privileges": [
"read"
],
"query": "{\"match\": {\"category\": \"click\"}}"
}
],
)
print(resp)
const response = await client.security.putRole({
name: "click_role",
indices: [
{
names: ["events-*"],
privileges: ["read"],
query: '{"match": {"category": "click"}}',
},
],
});
console.log(response);
POST /_security/role/click_role
{
"indices": [
{
"names": [ "events-*" ],
"privileges": [ "read" ],
"query": "{\"match\": {\"category\": \"click\"}}"
}
]
}
您可以使用嵌套的 JSON 语法编写相同的查询
resp = client.security.put_role(
name="click_role",
indices=[
{
"names": [
"events-*"
],
"privileges": [
"read"
],
"query": {
"match": {
"category": "click"
}
}
}
],
)
print(resp)
const response = await client.security.putRole({
name: "click_role",
indices: [
{
names: ["events-*"],
privileges: ["read"],
query: {
match: {
category: "click",
},
},
},
],
});
console.log(response);
POST _security/role/click_role
{
"indices": [
{
"names": [ "events-*" ],
"privileges": [ "read" ],
"query": {
"match": {
"category": "click"
}
}
}
]
}
以下角色仅授予对 department_id 等于 12 的文档的读取访问权限
resp = client.security.put_role(
name="dept_role",
indices=[
{
"names": [
"*"
],
"privileges": [
"read"
],
"query": {
"term": {
"department_id": 12
}
}
}
],
)
print(resp)
const response = await client.security.putRole({
name: "dept_role",
indices: [
{
names: ["*"],
privileges: ["read"],
query: {
term: {
department_id: 12,
},
},
},
],
});
console.log(response);
POST /_security/role/dept_role
{
"indices" : [
{
"names" : [ "*" ],
"privileges" : [ "read" ],
"query" : {
"term" : { "department_id" : 12 }
}
}
]
}