Create or update application privileges
Generally available; Added in 6.4.0
To use this API, you must have one of the following privileges:
- The
manage_securitycluster privilege (or a greater privilege such asall). - The "Manage Application Privileges" global privilege for the application being referenced in the request.
Application names are formed from a prefix, with an optional suffix that conform to the following rules:
- The prefix must begin with a lowercase ASCII letter.
- The prefix must contain only ASCII letters or digits.
- The prefix must be at least 3 characters long.
- If the suffix exists, it must begin with either a dash
-or_. - The suffix cannot contain any of the following characters:
\,/,*,?,",<,>,|,,,*. - No part of the name can contain whitespace.
Privilege names must begin with a lowercase ASCII letter and must contain only ASCII letters and digits along with the characters _, -, and ..
Action names can contain any number of printable ASCII characters and must contain at least one of the following characters: /, *, :.
Required authorization
- Cluster privileges:
manage_security
Query parameters
-
If
true(the default) then refresh the affected shards to make this operation visible to search, ifwait_forthen wait for a refresh to make this operation visible to search, iffalsethen do nothing with refreshes.Values are
true,false, orwait_for.
PUT
/_security/privilege
Console
PUT /_security/privilege
{
"myapp": {
"read": {
"actions": [
"data:read/*" ,
"action:login" ],
"metadata": {
"description": "Read access to myapp"
}
}
}
}resp = client.security.put_privileges(
privileges={
"myapp": {
"read": {
"actions": [
"data:read/*",
"action:login"
],
"metadata": {
"description": "Read access to myapp"
}
}
}
},
)const response = await client.security.putPrivileges({
privileges: {
myapp: {
read: {
actions: ["data:read/*", "action:login"],
metadata: {
description: "Read access to myapp",
},
},
},
},
});response = client.security.put_privileges(
body: {
"myapp": {
"read": {
"actions": [
"data:read/*",
"action:login"
],
"metadata": {
"description": "Read access to myapp"
}
}
}
}
)$resp = $client->security()->putPrivileges([
"body" => [
"myapp" => [
"read" => [
"actions" => array(
"data:read/*",
"action:login",
),
"metadata" => [
"description" => "Read access to myapp",
],
],
],
],
]);curl -X PUT -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"myapp":{"read":{"actions":["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}}}' "$ELASTICSEARCH_URL/_security/privilege"
Request examples
Add a privilege
Run `PUT /_security/privilege` to add a single application privilege. The wildcard (`*`) means that this privilege grants access to all actions that start with `data:read/`. Elasticsearch does not assign any meaning to these actions. However, if the request includes an application privilege such as `data:read/users` or `data:read/settings`, the has privileges API respects the use of a wildcard and returns `true`.
{
"myapp": {
"read": {
"actions": [
"data:read/*" ,
"action:login" ],
"metadata": {
"description": "Read access to myapp"
}
}
}
}
Run `PUT /_security/privilege` to add multiple application privileges.
{
"app01": {
"read": {
"actions": [ "action:login", "data:read/*" ]
},
"write": {
"actions": [ "action:login", "data:write/*" ]
}
},
"app02": {
"all": {
"actions": [ "*" ]
}
}
}
Response examples (200)
Security put privileges response example1
A successful response from `PUT /_security/privilege`.
{
"myapp": {
"read": {
"created": true
}
}
}
A successful response from `PUT /_security/privilege`. The `created` property indicates whether the privileges have been created or updated.
{
"app02": {
"all": {
"created": true
}
},
"app01": {
"read": {
"created": true
},
"write": {
"created": true
}
}
}