批量创建或更新角色 API
编辑批量创建或更新角色 API
编辑在原生领域中批量添加和更新角色。
请求
编辑POST /_security/role/
先决条件
编辑- 要使用此 API,您必须至少拥有
manage_security集群权限。
请求主体
编辑以下参数可以在 POST 请求的主体中指定,并与添加一组角色相关
-
roles - (对象)要添加为角色名称到角色映射的角色。
-
<角色名称>(必需) - (字符串)角色名称。
-
applications -
(列表)应用程序权限条目的列表。
-
application(必需) - (字符串)此条目适用的应用程序的名称。
-
privileges - (列表)字符串列表,其中每个元素都是应用程序权限或操作的名称。
-
resources - (列表)应用权限的资源列表。
-
-
cluster - (列表)集群权限列表。这些权限定义了具有此角色的用户能够执行的集群级别操作。
-
global - (对象)定义全局权限的对象。全局权限是请求感知的集群权限形式。目前,全局权限的支持仅限于应用程序权限的管理。
-
indices -
(列表)索引权限条目的列表。
-
field_security - (对象)角色所有者具有读取访问权限的文档字段。有关更多信息,请参阅设置字段和文档级别安全性。
-
names(必需) - (列表)此条目中的权限适用的索引(或索引名称模式)列表。
-
privileges(必需) - (列表)角色所有者在指定索引上拥有的索引级别权限。
-
query - 一个搜索查询,定义了角色所有者具有读取访问权限的文档。指定索引中的文档必须与此查询匹配,角色所有者才能访问该文档。
-
-
metadata - (对象)可选的元数据。在
metadata对象中,以_开头的键保留给系统使用。 -
run_as - (列表)此角色的所有者可以模拟的用户列表。有关更多信息,请参阅代表其他用户提交请求。
-
remote_indices -
(列表)远程索引权限条目的列表。
远程索引对于使用基于 API 密钥的模型配置的远程集群有效。它们对于使用基于证书的模型配置的远程集群无效。
-
clusters(必需) - (列表)此条目中的权限适用的集群别名列表。
-
field_security - (对象)角色所有者具有读取访问权限的文档字段。有关更多信息,请参阅设置字段和文档级别安全性。
-
names(必需) - (列表)远程集群(使用
clusters指定)上此条目中的权限适用的索引(或索引名称模式)列表。 -
privileges(必需) - (列表)角色所有者在指定索引上拥有的索引级别权限。
-
query - 一个搜索查询,定义了角色所有者具有读取访问权限的文档。指定索引中的文档必须与此查询匹配,角色所有者才能访问该文档。
-
-
remote_cluster -
(列表)远程集群权限条目的列表。
远程集群权限对于使用基于 API 密钥的模型配置的远程集群有效。它们对于使用基于证书的模型配置的远程集群无效。
-
clusters(必需) - (列表)此条目中的权限适用的集群别名列表。
-
privileges(必需) - (列表)角色所有者在指定集群中拥有的集群级别权限。注意 - 对于远程集群,仅支持部分集群权限。可以使用内置权限 API来确定每个版本允许哪些权限。
-
有关更多信息,请参阅定义角色。
示例
编辑以下示例添加了名为 my_admin_role 和 my_user_role 的角色
resp = client.security.bulk_put_role(
roles={
"my_admin_role": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1",
"index2"
],
"privileges": [
"all"
],
"field_security": {
"grant": [
"title",
"body"
]
},
"query": "{\"match\": {\"title\": \"foo\"}}"
}
],
"applications": [
{
"application": "myapp",
"privileges": [
"admin",
"read"
],
"resources": [
"*"
]
}
],
"run_as": [
"other_user"
],
"metadata": {
"version": 1
}
},
"my_user_role": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1"
],
"privileges": [
"read"
],
"field_security": {
"grant": [
"title",
"body"
]
},
"query": "{\"match\": {\"title\": \"foo\"}}"
}
],
"applications": [
{
"application": "myapp",
"privileges": [
"admin",
"read"
],
"resources": [
"*"
]
}
],
"run_as": [
"other_user"
],
"metadata": {
"version": 1
}
}
},
)
print(resp)
const response = await client.security.bulkPutRole({
roles: {
my_admin_role: {
cluster: ["all"],
indices: [
{
names: ["index1", "index2"],
privileges: ["all"],
field_security: {
grant: ["title", "body"],
},
query: '{"match": {"title": "foo"}}',
},
],
applications: [
{
application: "myapp",
privileges: ["admin", "read"],
resources: ["*"],
},
],
run_as: ["other_user"],
metadata: {
version: 1,
},
},
my_user_role: {
cluster: ["all"],
indices: [
{
names: ["index1"],
privileges: ["read"],
field_security: {
grant: ["title", "body"],
},
query: '{"match": {"title": "foo"}}',
},
],
applications: [
{
application: "myapp",
privileges: ["admin", "read"],
resources: ["*"],
},
],
run_as: ["other_user"],
metadata: {
version: 1,
},
},
},
});
console.log(response);
POST /_security/role
{
"roles": {
"my_admin_role": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1",
"index2"
],
"privileges": [
"all"
],
"field_security": {
"grant": [
"title",
"body"
]
},
"query": "{\"match\": {\"title\": \"foo\"}}"
}
],
"applications": [
{
"application": "myapp",
"privileges": [
"admin",
"read"
],
"resources": [
"*"
]
}
],
"run_as": [
"other_user"
],
"metadata": {
"version": 1
}
},
"my_user_role": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1"
],
"privileges": [
"read"
],
"field_security": {
"grant": [
"title",
"body"
]
},
"query": "{\"match\": {\"title\": \"foo\"}}"
}
],
"applications": [
{
"application": "myapp",
"privileges": [
"admin",
"read"
],
"resources": [
"*"
]
}
],
"run_as": [
"other_user"
],
"metadata": {
"version": 1
}
}
}
}
成功的调用将返回一个 JSON 结构,显示角色是否已创建、更新或未进行任何更改。
由于错误是针对每个角色创建或更新单独处理的,因此 API 允许部分成功。
以下查询将为 my_admin_role 抛出错误,因为权限 bad_cluster_privilege 不存在,但对于 my_user_role 将成功。
resp = client.security.bulk_put_role(
roles={
"my_admin_role": {
"cluster": [
"bad_cluster_privilege"
],
"indices": [
{
"names": [
"index1",
"index2"
],
"privileges": [
"all"
],
"field_security": {
"grant": [
"title",
"body"
]
},
"query": "{\"match\": {\"title\": \"foo\"}}"
}
],
"applications": [
{
"application": "myapp",
"privileges": [
"admin",
"read"
],
"resources": [
"*"
]
}
],
"run_as": [
"other_user"
],
"metadata": {
"version": 1
}
},
"my_user_role": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1"
],
"privileges": [
"read"
],
"field_security": {
"grant": [
"title",
"body"
]
},
"query": "{\"match\": {\"title\": \"foo\"}}"
}
],
"applications": [
{
"application": "myapp",
"privileges": [
"admin",
"read"
],
"resources": [
"*"
]
}
],
"run_as": [
"other_user"
],
"metadata": {
"version": 1
}
}
},
)
print(resp)
const response = await client.security.bulkPutRole({
roles: {
my_admin_role: {
cluster: ["bad_cluster_privilege"],
indices: [
{
names: ["index1", "index2"],
privileges: ["all"],
field_security: {
grant: ["title", "body"],
},
query: '{"match": {"title": "foo"}}',
},
],
applications: [
{
application: "myapp",
privileges: ["admin", "read"],
resources: ["*"],
},
],
run_as: ["other_user"],
metadata: {
version: 1,
},
},
my_user_role: {
cluster: ["all"],
indices: [
{
names: ["index1"],
privileges: ["read"],
field_security: {
grant: ["title", "body"],
},
query: '{"match": {"title": "foo"}}',
},
],
applications: [
{
application: "myapp",
privileges: ["admin", "read"],
resources: ["*"],
},
],
run_as: ["other_user"],
metadata: {
version: 1,
},
},
},
});
console.log(response);
POST /_security/role
{
"roles": {
"my_admin_role": {
"cluster": [
"bad_cluster_privilege"
],
"indices": [
{
"names": [
"index1",
"index2"
],
"privileges": ["all"],
"field_security": {
"grant": [
"title",
"body"
]
},
"query": "{\"match\": {\"title\": \"foo\"}}"
}
],
"applications": [
{
"application": "myapp",
"privileges": [
"admin",
"read"
],
"resources": [
"*"
]
}
],
"run_as": [
"other_user"
],
"metadata": {
"version": 1
}
},
"my_user_role": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1"
],
"privileges": [
"read"
],
"field_security": {
"grant": [
"title",
"body"
]
},
"query": "{\"match\": {\"title\": \"foo\"}}"
}
],
"applications": [
{
"application": "myapp",
"privileges": [
"admin",
"read"
],
"resources": [
"*"
]
}
],
"run_as": [
"other_user"
],
"metadata": {
"version": 1
}
}
}
}
结果将把 errors 字段设置为 true,并保存 my_admin_role 更新的错误。
{
"created": [
"my_user_role"
],
"errors": {
"count": 1,
"details": {
"my_admin_role": {
"type": "action_request_validation_exception",
"reason": "Validation Failed: 1: unknown cluster privilege [bad_cluster_privilege]. a privilege must be either one of the predefined cluster privilege names [manage_own_api_key,manage_data_stream_global_retention,monitor_data_stream_global_retention,none,cancel_task,cross_cluster_replication,cross_cluster_search,delegate_pki,grant_api_key,manage_autoscaling,manage_index_templates,manage_logstash_pipelines,manage_oidc,manage_saml,manage_search_application,manage_search_query_rules,manage_search_synonyms,manage_service_account,manage_token,manage_user_profile,monitor_connector,monitor_enrich,monitor_inference,monitor_ml,monitor_rollup,monitor_snapshot,monitor_stats,monitor_text_structure,monitor_watcher,post_behavioral_analytics_event,read_ccr,read_connector_secrets,read_fleet_secrets,read_ilm,read_pipeline,read_security,read_slm,transport_client,write_connector_secrets,write_fleet_secrets,create_snapshot,manage_behavioral_analytics,manage_ccr,manage_connector,manage_enrich,manage_ilm,manage_inference,manage_ml,manage_rollup,manage_slm,manage_watcher,monitor_data_frame_transforms,monitor_transform,manage_api_key,manage_ingest_pipelines,manage_pipeline,manage_data_frame_transforms,manage_transform,manage_security,monitor,manage,all] or a pattern over one of the available cluster actions;"
}
}
}
}