-
Notifications
You must be signed in to change notification settings - Fork 163
Supported Rules
The evaluation stops at the first block (block = sets of rules) where all the rules match. The blocks are evaluated in the order they appear in the configuration file.
| rule_name : example_argument ______________________________________ | Description |
|---|---|
| type: allow |
mandatory rule! If all the following rules match the request, then allow or forbid it |
| hosts: [localhost, 10.0.0.0/24] | a list of origin IP addresses or subnets |
| accept_x-forwarded-for_header: false | interpret the X-Forwarded-For header as origin host (useful for AWS ELB and other reverse proxies) |
| methods: [GET, OPTIONS] | match the HTTP method |
| api_keys: [123456, abcdefg] | a list of api keys expected in the header X-Api-Key
|
| uri_re: ^/secret-index/.* | A regular expression to match the request URI. Hint: superseded by indices! |
| maxBodyLength: 0 | limit HTTP request body length. |
| auth_key: sales:p455wd |
HTTP Basic Auth. Configure this value in clear text. Clients will need to provide the header e.g. Authorization: Basic c2FsZXM6cDQ1NXdk where "c2FsZXM6cDQ1NXdk" is base64 for "sales:p455wd". |
| indices: [sales, logstash-*] | Match if the request touches indices whose name is "sales", starts with "public" or a combination of both. See also a note on <no-index> below. |
| kibana_access: ro | Match if the request comes from Kibana and does not change the content. If configured as "rw" will allow kibana action that change the dashboard and the content. If configured as "ro+" will allow kibana actions that only change the .kibana index and read the rest the indices. |
| kibana_index: .kibana-123 | Optional modifier to let kibana_access work even when you have a custom configuration of "kibana.index" property in kibana.yml |
| actions: [cluster:*] | Match if the request action matches the exact words or wildcard patterns. SEE TABLE BELOW for a list of known actions |
There is no explicit list of what actions are required for different operations in ElasticSearch. Below there is a list with some known values and the corresponding API operations.
| Action String | Operations |
|---|---|
cluster:admin/repository/get |
cat API repositories |
cluster:monitor/health |
cat API health |
cluster:monitor/state |
|
cluster:monitor/nodes/stats |
cat API fielddata |
cluster:monitor/task |
cat API pending tasks |
indices:admin/create |
Indices API create |
indices:admin/exists |
Indices API exists |
indices:admin/open |
Indices API open |
indices:admin/close |
Indices API close |
indices:admin/delete |
Indices API delete |
indices:admin/aliases/get |
cat API aliases |
indices:admin/mappings/get |
Indices API get mapping |
indices:admin/mapping/put |
Indices API put mapping |
indices:admin/types/exists |
Indices API types exists |
indices:admin/validate/query |
Search API validate query |
indices:data/read/search |
|
indices:data/read/get |
|
indices:data/read/suggest |
Search API suggest |
indices:data/read/explain |
Search API explain |
indices:data/read/field_stats |
Search API field stats |
indices:data/write/index |
Documents API index (op_type=create also uses this action) |
indices:data/write/bulk |
Bulk operations |
indices:data/write/bulk[s] |
Documents API bulk |
indices:monitor/stats |
Indices API indices stats |
indices:monitor/recovery |
cat API recovery |
indices rule name can accept a special value <no-index>, which matches the case when no index has been detected in the request context. This is quite usual when clients request for generic cluster state related actions, for which the notion of indices-context simply does not apply.
Although from the usability stand point, this is quite puzzling, author believes that the situation in which a system implicitly whitelists some stuff is not exactly the path of least surprise. Especially when one is defining ACLs for security.
If in doubt on why some requests get forbidden, set ElasticSearch debug level to DEBUG and grep the logs for action:. This will show you the whole request context (including the action and indices fields) of blocked request.