-
Notifications
You must be signed in to change notification settings - Fork 163
Supported Rules
Simone Scarduzio edited this page Apr 13, 2016
·
24 revisions
The evaluation stops at the first block (block = sets of rules) where all the rules match. The blocks are evaluated in the order they appear in the configuration file.
| rule_name : example_argument ______________________________________ | Description |
|---|---|
| type: allow |
mandatory rule! If all the following rules match the request, then allow or forbid it |
| hosts: [localhost, 10.0.0.0/24] | a list of origin IP addresses or subnets |
| accept_x-forwarded-for_header: false | interpret the X-Forwarded-For header as origin host (useful for AWS ELB and other reverse proxies) |
| methods: [GET, OPTIONS] | match the HTTP method |
| api_keys: [123456, abcdefg] | a list of api keys expected in the header X-Api-Key
|
| uri_re: ^/secret-index/.* | A regular expression to match the request URI. Hint: superseded by indices! |
| maxBodyLength: 0 | limit HTTP request body length. |
| auth_key: sales:p455wd |
HTTP Basic Auth. Configure this value in clear text. Clients will need to provide the header e.g. Authorization: Basic c2FsZXM6cDQ1NXdk where "c2FsZXM6cDQ1NXdk" is base64 for "sales:p455wd". |
| indices: [sales, logstash-*] | Match if the request touches indices whose name is "sales", starts with "public" or a combination of both |
| kibana_access: ro | Match if the request comes from Kibana and does not change the content. If configured as "rw" will allow kibana action that change the dashboard and the content. If configured as "ro+" will allow kibana actions that only change the .kibana index and read the rest the indices. |
| kibana_index: .kibana-123 | Optional modifier to let kibana_access work even when you have a custom configuration of "kibana.index" property in kibana.yml |
| actions: [cluster:*] | Match if the request action matches the exact words or wildcard patterns. SEE TABLE BELOW for a list of known actions |
There is no explicit list of what actions are required for different operations in ElasticSearch. Below there is a list with some known values and the corresponding API operations.
| Action String | Operations |
|---|---|
cluster:admin/repository/get |
cat API repositories |
cluster:monitor/health |
cat API health |
cluster:monitor/state |
|
cluster:monitor/nodes/stats |
cat API fielddata |
cluster:monitor/task |
cat API pending tasks |
indices:admin/create |
Indices API create |
indices:admin/exists |
Indices API exists |
indices:admin/open |
Indices API open |
indices:admin/close |
Indices API close |
indices:admin/delete |
Indices API exists |
indices:admin/aliases/get |
cat API aliases |
indices:admin/mappings/get |
Indices API get mapping |
indices:admin/mapping/put |
Indices API put mapping |
indices:admin/types/exists |
Indices API types exists |
indices:admin/validate/query |
Search API validate query |
indices:data/read/search |
|
indices:data/read/get |
|
indices:data/read/suggest |
Search API suggest |
indices:data/read/explain |
Search API explain |
indices:data/read/field_stats |
Search API field stats |
indices:data/write/index |
Documents API index (op_type=create also uses this action) |
indices:data/write/bulk |
Bulk operations |
indices:data/write/bulk[s] |
Documents API bulk |
indices:monitor/stats |
Indices API indices stats |
indices:monitor/recovery |
cat API recovery |
If in doubt, set ReadOnlyRest debug level to INFO and include an "actions": entrance in every rule. This will show the action received.