New

The executive guide to generative AI

Read more
About usPartnersSupport|Login
« 创建或更新角色 API 批量删除角色 API »
Elastic 文档 Elasticsearch 指南 [8.17] REST API 安全 API

批量创建或更新角色 API

编辑

批量创建或更新角色 API

编辑

在原生领域中批量添加和更新角色。

请求

编辑

POST /_security/role/

先决条件

编辑
  • 要使用此 API,您必须至少拥有 manage_security 集群权限。

描述

编辑

角色管理 API 通常是管理角色的首选方式,而不是使用基于文件的角色管理。批量创建或更新角色 API 不能更新在角色文件中定义的角色。

路径参数

编辑
refresh
写入请求的刷新策略的可选设置。默认为 Immediate。

请求主体

编辑

以下参数可以在 POST 请求的主体中指定,并与添加一组角色相关

roles
(对象)要添加为角色名称到角色映射的角色。
<角色名称>(必需)
(字符串)角色名称。
applications

(列表)应用程序权限条目的列表。

application(必需)
(字符串)此条目适用的应用程序的名称。
privileges
(列表)字符串列表,其中每个元素都是应用程序权限或操作的名称。
resources
(列表)应用权限的资源列表。
cluster
(列表)集群权限列表。这些权限定义了具有此角色的用户能够执行的集群级别操作。
global
(对象)定义全局权限的对象。全局权限是请求感知的集群权限形式。目前,全局权限的支持仅限于应用程序权限的管理。
indices

(列表)索引权限条目的列表。

field_security
(对象)角色所有者具有读取访问权限的文档字段。有关更多信息,请参阅设置字段和文档级别安全性
names(必需)
(列表)此条目中的权限适用的索引(或索引名称模式)列表。
privileges(必需)
(列表)角色所有者在指定索引上拥有的索引级别权限。
query
一个搜索查询,定义了角色所有者具有读取访问权限的文档。指定索引中的文档必须与此查询匹配,角色所有者才能访问该文档。
metadata
(对象)可选的元数据。在metadata对象中,以_开头的键保留给系统使用。
run_as
(列表)此角色的所有者可以模拟的用户列表。有关更多信息,请参阅代表其他用户提交请求
remote_indices

(列表)远程索引权限条目的列表。

远程索引对于使用基于 API 密钥的模型配置的远程集群有效。它们对于使用基于证书的模型配置的远程集群无效。

clusters(必需)
(列表)此条目中的权限适用的集群别名列表。
field_security
(对象)角色所有者具有读取访问权限的文档字段。有关更多信息,请参阅设置字段和文档级别安全性
names(必需)
(列表)远程集群(使用 clusters 指定)上此条目中的权限适用的索引(或索引名称模式)列表。
privileges(必需)
(列表)角色所有者在指定索引上拥有的索引级别权限。
query
一个搜索查询,定义了角色所有者具有读取访问权限的文档。指定索引中的文档必须与此查询匹配,角色所有者才能访问该文档。
remote_cluster

(列表)远程集群权限条目的列表。

远程集群权限对于使用基于 API 密钥的模型配置的远程集群有效。它们对于使用基于证书的模型配置的远程集群无效。

clusters(必需)
(列表)此条目中的权限适用的集群别名列表。
privileges(必需)
(列表)角色所有者在指定集群中拥有的集群级别权限。注意 - 对于远程集群,仅支持部分集群权限。可以使用内置权限 API来确定每个版本允许哪些权限。

有关更多信息,请参阅定义角色

示例

编辑

以下示例添加了名为 my_admin_rolemy_user_role 的角色

resp = client.security.bulk_put_role(
    roles={
        "my_admin_role": {
            "cluster": [
                "all"
            ],
            "indices": [
                {
                    "names": [
                        "index1",
                        "index2"
                    ],
                    "privileges": [
                        "all"
                    ],
                    "field_security": {
                        "grant": [
                            "title",
                            "body"
                        ]
                    },
                    "query": "{\"match\": {\"title\": \"foo\"}}"
                }
            ],
            "applications": [
                {
                    "application": "myapp",
                    "privileges": [
                        "admin",
                        "read"
                    ],
                    "resources": [
                        "*"
                    ]
                }
            ],
            "run_as": [
                "other_user"
            ],
            "metadata": {
                "version": 1
            }
        },
        "my_user_role": {
            "cluster": [
                "all"
            ],
            "indices": [
                {
                    "names": [
                        "index1"
                    ],
                    "privileges": [
                        "read"
                    ],
                    "field_security": {
                        "grant": [
                            "title",
                            "body"
                        ]
                    },
                    "query": "{\"match\": {\"title\": \"foo\"}}"
                }
            ],
            "applications": [
                {
                    "application": "myapp",
                    "privileges": [
                        "admin",
                        "read"
                    ],
                    "resources": [
                        "*"
                    ]
                }
            ],
            "run_as": [
                "other_user"
            ],
            "metadata": {
                "version": 1
            }
        }
    },
)
print(resp)
const response = await client.security.bulkPutRole({
  roles: {
    my_admin_role: {
      cluster: ["all"],
      indices: [
        {
          names: ["index1", "index2"],
          privileges: ["all"],
          field_security: {
            grant: ["title", "body"],
          },
          query: '{"match": {"title": "foo"}}',
        },
      ],
      applications: [
        {
          application: "myapp",
          privileges: ["admin", "read"],
          resources: ["*"],
        },
      ],
      run_as: ["other_user"],
      metadata: {
        version: 1,
      },
    },
    my_user_role: {
      cluster: ["all"],
      indices: [
        {
          names: ["index1"],
          privileges: ["read"],
          field_security: {
            grant: ["title", "body"],
          },
          query: '{"match": {"title": "foo"}}',
        },
      ],
      applications: [
        {
          application: "myapp",
          privileges: ["admin", "read"],
          resources: ["*"],
        },
      ],
      run_as: ["other_user"],
      metadata: {
        version: 1,
      },
    },
  },
});
console.log(response);
POST /_security/role
{
    "roles": {
        "my_admin_role": {
            "cluster": [
                "all"
            ],
            "indices": [
                {
                    "names": [
                        "index1",
                        "index2"
                    ],
                    "privileges": [
                        "all"
                    ],
                    "field_security": {
                        "grant": [
                            "title",
                            "body"
                        ]
                    },
                    "query": "{\"match\": {\"title\": \"foo\"}}"
                }
            ],
            "applications": [
                {
                    "application": "myapp",
                    "privileges": [
                        "admin",
                        "read"
                    ],
                    "resources": [
                        "*"
                    ]
                }
            ],
            "run_as": [
                "other_user"
            ],
            "metadata": {
                "version": 1
            }
        },
        "my_user_role": {
            "cluster": [
                "all"
            ],
            "indices": [
                {
                    "names": [
                        "index1"
                    ],
                    "privileges": [
                        "read"
                    ],
                    "field_security": {
                        "grant": [
                            "title",
                            "body"
                        ]
                    },
                    "query": "{\"match\": {\"title\": \"foo\"}}"
                }
            ],
            "applications": [
                {
                    "application": "myapp",
                    "privileges": [
                        "admin",
                        "read"
                    ],
                    "resources": [
                        "*"
                    ]
                }
            ],
            "run_as": [
                "other_user"
            ],
            "metadata": {
                "version": 1
            }
        }
    }
}
Copy as curlTry in Elastic 

成功的调用将返回一个 JSON 结构,显示角色是否已创建、更新或未进行任何更改。

{
    "created": [ 
        "my_admin_role", 
        "my_user_role"
    ]
}

结果类型,可以是 createdupdatednooperrors 之一。

已创建的角色列表。

由于错误是针对每个角色创建或更新单独处理的,因此 API 允许部分成功。

以下查询将为 my_admin_role 抛出错误,因为权限 bad_cluster_privilege 不存在,但对于 my_user_role 将成功。

resp = client.security.bulk_put_role(
    roles={
        "my_admin_role": {
            "cluster": [
                "bad_cluster_privilege"
            ],
            "indices": [
                {
                    "names": [
                        "index1",
                        "index2"
                    ],
                    "privileges": [
                        "all"
                    ],
                    "field_security": {
                        "grant": [
                            "title",
                            "body"
                        ]
                    },
                    "query": "{\"match\": {\"title\": \"foo\"}}"
                }
            ],
            "applications": [
                {
                    "application": "myapp",
                    "privileges": [
                        "admin",
                        "read"
                    ],
                    "resources": [
                        "*"
                    ]
                }
            ],
            "run_as": [
                "other_user"
            ],
            "metadata": {
                "version": 1
            }
        },
        "my_user_role": {
            "cluster": [
                "all"
            ],
            "indices": [
                {
                    "names": [
                        "index1"
                    ],
                    "privileges": [
                        "read"
                    ],
                    "field_security": {
                        "grant": [
                            "title",
                            "body"
                        ]
                    },
                    "query": "{\"match\": {\"title\": \"foo\"}}"
                }
            ],
            "applications": [
                {
                    "application": "myapp",
                    "privileges": [
                        "admin",
                        "read"
                    ],
                    "resources": [
                        "*"
                    ]
                }
            ],
            "run_as": [
                "other_user"
            ],
            "metadata": {
                "version": 1
            }
        }
    },
)
print(resp)
const response = await client.security.bulkPutRole({
  roles: {
    my_admin_role: {
      cluster: ["bad_cluster_privilege"],
      indices: [
        {
          names: ["index1", "index2"],
          privileges: ["all"],
          field_security: {
            grant: ["title", "body"],
          },
          query: '{"match": {"title": "foo"}}',
        },
      ],
      applications: [
        {
          application: "myapp",
          privileges: ["admin", "read"],
          resources: ["*"],
        },
      ],
      run_as: ["other_user"],
      metadata: {
        version: 1,
      },
    },
    my_user_role: {
      cluster: ["all"],
      indices: [
        {
          names: ["index1"],
          privileges: ["read"],
          field_security: {
            grant: ["title", "body"],
          },
          query: '{"match": {"title": "foo"}}',
        },
      ],
      applications: [
        {
          application: "myapp",
          privileges: ["admin", "read"],
          resources: ["*"],
        },
      ],
      run_as: ["other_user"],
      metadata: {
        version: 1,
      },
    },
  },
});
console.log(response);
POST /_security/role
{
    "roles": {
        "my_admin_role": {
            "cluster": [
                "bad_cluster_privilege"
            ],
            "indices": [
                {
                    "names": [
                        "index1",
                        "index2"
                    ],
                    "privileges": ["all"],
                    "field_security": {
                        "grant": [
                            "title",
                            "body"
                        ]
                    },
                    "query": "{\"match\": {\"title\": \"foo\"}}"
                }
            ],
            "applications": [
                {
                    "application": "myapp",
                    "privileges": [
                        "admin",
                        "read"
                    ],
                    "resources": [
                        "*"
                    ]
                }
            ],
            "run_as": [
                "other_user"
            ],
            "metadata": {
                "version": 1
            }
        },
        "my_user_role": {
            "cluster": [
                "all"
            ],
            "indices": [
                {
                    "names": [
                        "index1"
                    ],
                    "privileges": [
                        "read"
                    ],
                    "field_security": {
                        "grant": [
                            "title",
                            "body"
                        ]
                    },
                    "query": "{\"match\": {\"title\": \"foo\"}}"
                }
            ],
            "applications": [
                {
                    "application": "myapp",
                    "privileges": [
                        "admin",
                        "read"
                    ],
                    "resources": [
                        "*"
                    ]
                }
            ],
            "run_as": [
                "other_user"
            ],
            "metadata": {
                "version": 1
            }
        }
    }
}
Copy as curlTry in Elastic 

结果将把 errors 字段设置为 true,并保存 my_admin_role 更新的错误。

{
    "created": [
        "my_user_role" 
    ],
    "errors": { 
        "count": 1, 
        "details": {
            "my_admin_role": { 
                "type": "action_request_validation_exception",
                "reason": "Validation Failed: 1: unknown cluster privilege [bad_cluster_privilege]. a privilege must be either one of the predefined cluster privilege names [manage_own_api_key,manage_data_stream_global_retention,monitor_data_stream_global_retention,none,cancel_task,cross_cluster_replication,cross_cluster_search,delegate_pki,grant_api_key,manage_autoscaling,manage_index_templates,manage_logstash_pipelines,manage_oidc,manage_saml,manage_search_application,manage_search_query_rules,manage_search_synonyms,manage_service_account,manage_token,manage_user_profile,monitor_connector,monitor_enrich,monitor_inference,monitor_ml,monitor_rollup,monitor_snapshot,monitor_stats,monitor_text_structure,monitor_watcher,post_behavioral_analytics_event,read_ccr,read_connector_secrets,read_fleet_secrets,read_ilm,read_pipeline,read_security,read_slm,transport_client,write_connector_secrets,write_fleet_secrets,create_snapshot,manage_behavioral_analytics,manage_ccr,manage_connector,manage_enrich,manage_ilm,manage_inference,manage_ml,manage_rollup,manage_slm,manage_watcher,monitor_data_frame_transforms,monitor_transform,manage_api_key,manage_ingest_pipelines,manage_pipeline,manage_data_frame_transforms,manage_transform,manage_security,monitor,manage,all] or a pattern over one of the available cluster actions;"
            }
        }
    }
}

成功创建的角色。

遇到的错误。

导致错误的 put role 请求的数量。

按角色名称键控的错误。
« 创建或更新角色 API 批量删除角色 API »

On this page

Was this helpful?
Feedback