Create or update application privileges Generally available; Added in 6.4.0
To use this API, you must have one of the following privileges:
- The
manage_securitycluster privilege (or a greater privilege such asall). - The "Manage Application Privileges" global privilege for the application being referenced in the request.
Application names are formed from a prefix, with an optional suffix that conform to the following rules:
- The prefix must begin with a lowercase ASCII letter.
- The prefix must contain only ASCII letters or digits.
- The prefix must be at least 3 characters long.
- If the suffix exists, it must begin with either a dash
-or_. - The suffix cannot contain any of the following characters:
\,/,*,?,",<,>,|,,,*. - No part of the name can contain whitespace.
Privilege names must begin with a lowercase ASCII letter and must contain only ASCII letters and digits along with the characters _, -, and ..
Action names can contain any number of printable ASCII characters and must contain at least one of the following characters: /, *, :.
Required authorization
- Cluster privileges:
manage_security
Query parameters
-
If
true(the default) then refresh the affected shards to make this operation visible to search, ifwait_forthen wait for a refresh to make this operation visible to search, iffalsethen do nothing with refreshes.Values are
true,false, orwait_for.
PUT /_security/privilege
Console
PUT /_security/privilege { "myapp": { "read": { "actions": [ "data:read/*" , "action:login" ], "metadata": { "description": "Read access to myapp" } } } }resp = client.security.put_privileges( privileges={ "myapp": { "read": { "actions": [ "data:read/*", "action:login" ], "metadata": { "description": "Read access to myapp" } } } }, )const response = await client.security.putPrivileges({ privileges: { myapp: { read: { actions: ["data:read/*", "action:login"], metadata: { description: "Read access to myapp", }, }, }, }, });response = client.security.put_privileges( body: { "myapp": { "read": { "actions": [ "data:read/*", "action:login" ], "metadata": { "description": "Read access to myapp" } } } } )$resp = $client->security()->putPrivileges([ "body" => [ "myapp" => [ "read" => [ "actions" => array( "data:read/*", "action:login", ), "metadata" => [ "description" => "Read access to myapp", ], ], ], ], ]);curl -X PUT -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"myapp":{"read":{"actions":["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}}}' "$ELASTICSEARCH_URL/_security/privilege" Request examples
Add a privilege
Run `PUT /_security/privilege` to add a single application privilege. The wildcard (`*`) means that this privilege grants access to all actions that start with `data:read/`. Elasticsearch does not assign any meaning to these actions. However, if the request includes an application privilege such as `data:read/users` or `data:read/settings`, the has privileges API respects the use of a wildcard and returns `true`.
{ "myapp": { "read": { "actions": [ "data:read/*" , "action:login" ], "metadata": { "description": "Read access to myapp" } } } } Run `PUT /_security/privilege` to add multiple application privileges.
{ "app01": { "read": { "actions": [ "action:login", "data:read/*" ] }, "write": { "actions": [ "action:login", "data:write/*" ] } }, "app02": { "all": { "actions": [ "*" ] } } } Response examples (200)
Security put privileges response example1
A successful response from `PUT /_security/privilege`.
{ "myapp": { "read": { "created": true } } } A successful response from `PUT /_security/privilege`. The `created` property indicates whether the privileges have been created or updated.
{ "app02": { "all": { "created": true } }, "app01": { "read": { "created": true }, "write": { "created": true } } }