Link Search Menu Expand Document

The Open Distro project is archived. Open Distro development has moved to OpenSearch. The Open Distro plugins will continue to work with legacy versions of Elasticsearch OSS, but we recommend upgrading to OpenSearch to take advantage of the latest features and improvements.

API

The security plugin REST API lets you programmatically create and manage users, roles, role mappings, action groups, and tenants.


Table of contents

  1. Access control for the API
  2. Reserved and hidden resources
  3. Account
    1. Get account details
    2. Change password
  4. Action groups
    1. Get action group
    2. Get action groups
    3. Delete action group
    4. Create action group
    5. Patch action group
    6. Patch action groups
  5. Users
    1. Get user
    2. Get users
    3. Delete user
    4. Create user
    5. Patch user
    6. Patch users
  6. Roles
    1. Get role
    2. Get roles
    3. Delete role
    4. Create role
    5. Patch role
    6. Patch roles
  7. Role mappings
    1. Get role mapping
    2. Get role mappings
    3. Delete role mapping
    4. Create role mapping
    5. Patch role mapping
    6. Patch role mappings
  8. Tenants
    1. Get tenant
    2. Get tenants
    3. Delete tenant
    4. Create tenant
    5. Patch tenant
    6. Patch tenants
  9. Configuration
    1. Get configuration
    2. Update configuration
    3. Patch configuration
  10. Certificates
    1. Get certificates
    2. Update configuration
    3. Patch configuration
  11. Cache
    1. Flush cache
  12. Health
    1. Health check

Access control for the API

Just like Elasticsearch permissions, you control access to the security plugin REST API using roles. Specify roles in elasticsearch.yml:

opendistro_security.restapi.roles_enabled: ["<role>", ...]

These roles can now access all APIs. To prevent access to certain APIs:

opendistro_security.restapi.endpoints_disabled.<role>.<endpoint>: ["<method>", ...]

Possible values for endpoint are:

  • ACTIONGROUPS
  • ROLES
  • ROLESMAPPING
  • INTERNALUSERS
  • CONFIG
  • CACHE
  • LICENSE
  • SYSTEMINFO

Possible values for method are:

  • GET
  • PUT
  • POST
  • DELETE
  • PATCH

For example, the following configuration grants three roles access to the REST API, but then prevents test-role from making PUT, POST, DELETE, or PATCH requests to _opendistro/_security/api/roles or _opendistro/_security/api/internalusers:

opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access", "test-role"]
opendistro_security.restapi.endpoints_disabled.test-role.ROLES: ["PUT", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.test-role.INTERNALUSERS: ["PUT", "POST", "DELETE", "PATCH"]

To use the PUT and PATCH methods for the configuration APIs, add the following line to elasticsearch.yml:

opendistro_security.unsupported.restapi.allow_securityconfig_modification: true

Reserved and hidden resources

You can mark users, role, role mappings, and action groups as reserved. Resources that have this flag set to true can’t be changed using the REST API or Kibana.

To mark a resource as reserved, add the following flag:

kibana_user:
  reserved: true

Likewise, you can mark users, role, role mappings, and action groups as hidden. Resources that have this flag set to true are not returned by the REST API and not visible in Kibana:

kibana_user:
  hidden: true

Hidden resources are automatically reserved.

To add or remove these flags, you need to modify plugins/opendistro_security/securityconfig/internal_users.yml and run plugins/opendistro_security/tools/securityadmin.sh.


Account

Get account details

Returns account details for the current user. For example, if you sign the request as the admin user, the response includes details for that user.

Request

GET _opendistro/_security/api/account

Sample response

{
  "user_name": "admin",
  "is_reserved": true,
  "is_hidden": false,
  "is_internal_user": true,
  "user_requested_tenant": null,
  "backend_roles": [
    "admin"
  ],
  "custom_attribute_names": [],
  "tenants": {
    "global_tenant": true,
    "admin_tenant": true,
    "admin": true
  },
  "roles": [
    "all_access",
    "own_index"
  ]
}

Change password

Changes the password for the current user.

Request

PUT _opendistro/_security/api/account
{
    "current_password" : "old-password",
    "password" : "new-password"
}

Sample response

{
  "status": "OK",
  "message": "'test-user' updated."
}

Action groups

Get action group

Retrieves one action group.

Request

GET _opendistro/_security/api/actiongroups/<action-group>

Sample response

{
  "custom_action_group": {
    "reserved": false,
    "hidden": false,
    "allowed_actions": [
      "kibana_all_read",
      "indices:admin/aliases/get",
      "indices:admin/aliases/exists"
    ],
    "description": "My custom action group",
    "static": false
  }
}

Get action groups

Retrieves all action groups.

Request

GET _opendistro/_security/api/actiongroups/

Sample response

{
  "read": {
    "reserved": true,
    "hidden": false,
    "allowed_actions": [
      "indices:data/read*",
      "indices:admin/mappings/fields/get*"
    ],
    "type": "index",
    "description": "Allow all read operations",
    "static": true
  },
  ...
}

Delete action group

Request

DELETE _opendistro/_security/api/actiongroups/<action-group>

Sample response

{
  "status":"OK",
  "message":"actiongroup SEARCH deleted."
}

Create action group

Creates or replaces the specified action group.

Request

PUT _opendistro/_security/api/actiongroups/<action-group>
{
  "allowed_actions": [
    "indices:data/write/index*",
    "indices:data/write/update*",
    "indices:admin/mapping/put",
    "indices:data/write/bulk*",
    "read",
    "write"
  ]
}

Sample response

{
  "status": "CREATED",
  "message": "'my-action-group' created."
}

Patch action group

Updates individual attributes of an action group.

Request

PATCH _opendistro/_security/api/actiongroups/<action-group>
[
  {
    "op": "replace", "path": "/allowed_actions", "value": ["indices:admin/create", "indices:admin/mapping/put"]
  }
]

Sample response

{
  "status":"OK",
  "message":"actiongroup SEARCH deleted."
}

Patch action groups

Creates, updates, or deletes multiple action groups in a single call.

Request

PATCH _opendistro/_security/api/actiongroups
[
  {
    "op": "add", "path": "/CREATE_INDEX", "value": { "allowed_actions": ["indices:admin/create", "indices:admin/mapping/put"] }
  },
  {
    "op": "remove", "path": "/CRUD"
  }
]

Sample response

{
  "status":"OK",
  "message":"actiongroup SEARCH deleted."
}

Users

These calls let you create, update, and delete internal users. If you use an external authentication backend, you probably don’t need to worry about internal users.

Get user

Request

GET _opendistro/_security/api/internalusers/<username>

Sample response

{
  "kirk": {
    "hash": "",
    "roles": [ "captains", "starfleet" ],
    "attributes": {
       "attribute1": "value1",
       "attribute2": "value2",
    }
  }
}

Get users

Request

GET _opendistro/_security/api/internalusers/

Sample response

{
  "kirk": {
    "hash": "",
    "roles": [ "captains", "starfleet" ],
    "attributes": {
       "attribute1": "value1",
       "attribute2": "value2",
    }
  }
}

Delete user

Request

DELETE _opendistro/_security/api/internalusers/<username>

Sample response

{
  "status":"OK",
  "message":"user kirk deleted."
}

Create user

Creates or replaces the specified user. You must specify either password (plain text) or hash (the hashed user password). If you specify password, the security plugin automatically hashes the password before storing it.

Note that any role you supply in the opendistro_security_roles array must already exist for the security plugin to map the user to that role. To see predefined roles, refer to the list of predefined roles. For instructions on how to create a role, refer to creating a role.

Request

PUT _opendistro/_security/api/internalusers/<username>
{
  "password": "kirkpass",
  "opendistro_security_roles": ["maintenance_staff", "weapons"],
  "backend_roles": ["captains", "starfleet"],
  "attributes": {
    "attribute1": "value1",
    "attribute2": "value2"
  }
}

Sample response

{
  "status":"CREATED",
  "message":"User kirk created"
}

Patch user

Updates individual attributes of an internal user.

Request

PATCH _opendistro/_security/api/internalusers/<username>
[
  {
    "op": "replace", "path": "/backend_roles", "value": ["klingons"]
  },
  {
    "op": "replace", "path": "/opendistro_security_roles", "value": ["ship_manager"]
  },
  {
    "op": "replace", "path": "/attributes", "value": { "newattribute": "newvalue" }
  }
]

Sample response

{
  "status": "OK",
  "message": "'kirk' updated."
}

Patch users

Creates, updates, or deletes multiple internal users in a single call.

Request

PATCH _opendistro/_security/api/internalusers
[
  {
    "op": "add", "path": "/spock", "value": { "password": "testpassword1", "backend_roles": ["testrole1"] }
  },
  {
    "op": "add", "path": "/worf", "value": { "password": "testpassword2", "backend_roles": ["testrole2"] }
  },
  {
    "op": "remove", "path": "/riker"
  }
]

Sample response

{
  "status": "OK",
  "message": "Resource updated."
}

Roles

Get role

Retrieves one role.

Request

GET _opendistro/_security/api/roles/<role>

Sample response

{
  "test-role": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "cluster_composite_ops",
      "indices_monitor"
    ],
    "index_permissions": [{
      "index_patterns": [
        "movies*"
      ],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "read"
      ]
    }],
    "tenant_permissions": [{
      "tenant_patterns": [
        "human_resources"
      ],
      "allowed_actions": [
        "kibana_all_read"
      ]
    }],
    "static": false
  }
}

Get roles

Retrieves all roles.

Request

GET _opendistro/_security/api/roles/

Sample response

{
  "manage_snapshots": {
    "reserved": true,
    "hidden": false,
    "description": "Provide the minimum permissions for managing snapshots",
    "cluster_permissions": [
      "manage_snapshots"
    ],
    "index_permissions": [{
      "index_patterns": [
        "*"
      ],
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "indices:data/write/index",
        "indices:admin/create"
      ]
    }],
    "tenant_permissions": [],
    "static": true
  },
  ...
}

Delete role

Request

DELETE _opendistro/_security/api/roles/<role>

Sample response

{
  "status":"OK",
  "message":"role test-role deleted."
}

Create role

Creates or replaces the specified role.

Request

PUT _opendistro/_security/api/roles/<role>
{
  "cluster_permissions": [
    "cluster_composite_ops",
    "indices_monitor"
  ],
  "index_permissions": [{
    "index_patterns": [
      "movies*"
    ],
    "dls": "",
    "fls": [],
    "masked_fields": [],
    "allowed_actions": [
      "read"
    ]
  }],
  "tenant_permissions": [{
    "tenant_patterns": [
      "human_resources"
    ],
    "allowed_actions": [
      "kibana_all_read"
    ]
  }]
}

Sample response

{
  "status": "OK",
  "message": "'test-role' updated."
}

Patch role

Updates individual attributes of a role.

Request

PATCH _opendistro/_security/api/roles/<role>
[
  {
    "op": "replace", "path": "/index_permissions/0/fls", "value": ["myfield1", "myfield2"]
  },
  {
    "op": "remove", "path": "/index_permissions/0/dls"
  }
]

Sample response

{
  "status": "OK",
  "message": "'<role>' updated."
}

Patch roles

Creates, updates, or deletes multiple roles in a single call.

Request

PATCH _opendistro/_security/api/roles
[
  {
    "op": "replace", "path": "/role1/index_permissions/0/fls", "value": ["test1", "test2"]
  },
  {
    "op": "remove", "path": "/role1/index_permissions/0/dls"
  },
  {
    "op": "add", "path": "/role2/cluster_permissions", "value": ["manage_snapshots"]
  }
]

Sample response

{
  "status": "OK",
  "message": "Resource updated."
}

Role mappings

Get role mapping

Retrieves one role mapping.

Request

GET _opendistro/_security/api/rolesmapping/<role>

Sample response

{
  "role_starfleet" : {
    "backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
    "hosts" : [ "*.starfleetintranet.com" ],
    "users" : [ "worf" ]
  }
}

Get role mappings

Retrieves all role mappings.

Request

GET _opendistro/_security/api/rolesmapping

Sample response

{
  "role_starfleet" : {
    "backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
    "hosts" : [ "*.starfleetintranet.com" ],
    "users" : [ "worf" ]
  }
}

Delete role mapping

Request

DELETE _opendistro/_security/api/rolesmapping/<role>

Sample response

{
  "status": "OK",
  "message": "'my-role' deleted."
}

Create role mapping

Creates or replaces the specified role mapping.

Request

PUT _opendistro/_security/api/rolesmapping/<role>
{
  "backend_roles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
  "hosts" : [ "*.starfleetintranet.com" ],
  "users" : [ "worf" ]
}

Sample response

{
  "status": "CREATED",
  "message": "'my-role' created."
}

Patch role mapping

Updates individual attributes of a role mapping.

Request

PATCH _opendistro/_security/api/rolesmapping/<role>
[
  {
    "op": "replace", "path": "/users", "value": ["myuser"]
  },
  {
    "op": "replace", "path": "/backend_roles", "value": ["mybackendrole"]
  }
]

Sample response

{
  "status": "OK",
  "message": "'my-role' updated."
}

Patch role mappings

Creates or updates multiple role mappings in a single call.

Request

PATCH _opendistro/_security/api/rolesmapping
[
  {
    "op": "add", "path": "/human_resources", "value": { "users": ["user1"], "backend_roles": ["backendrole2"] }
  },
  {
    "op": "add", "path": "/finance", "value": { "users": ["user2"], "backend_roles": ["backendrole2"] }
  }
]

Sample response

{
  "status": "OK",
  "message": "Resource updated."
}

Tenants

Get tenant

Retrieves one tenant.

Request

GET _opendistro/_security/api/tenants/<tenant>

Sample response

{
  "human_resources": {
    "reserved": false,
    "hidden": false,
    "description": "A tenant for the human resources team.",
    "static": false
  }
}

Get tenants

Retrieves all tenants.

Request

GET _opendistro/_security/api/tenants/

Sample response

{
  "global_tenant": {
    "reserved": true,
    "hidden": false,
    "description": "Global tenant",
    "static": true
  },
  "human_resources": {
    "reserved": false,
    "hidden": false,
    "description": "A tenant for the human resources team.",
    "static": false
  }
}

Delete tenant

Request

DELETE _opendistro/_security/api/tenants/<tenant>

Sample response

{
  "status":"OK",
  "message":"tenant human_resources deleted."
}

Create tenant

Creates or replaces the specified tenant.

Request

PUT _opendistro/_security/api/tenants/<tenant>
{
  "description": "A tenant for the human resources team."
}

Sample response

{
  "status":"CREATED",
  "message":"tenant human_resources created"
}

Patch tenant

Add, delete, or modify a single tenant.

Request

PATCH _opendistro/_security/api/tenants/<tenant>
[
  {
    "op": "replace", "path": "/description", "value": "An updated description"
  }
]

Sample response

{
  "status": "OK",
  "message": "Resource updated."
}

Patch tenants

Add, delete, or modify multiple tenants in a single call.

Request

PATCH _opendistro/_security/api/tenants/
[
  {
    "op": "replace",
    "path": "/human_resources/description",
    "value": "An updated description"
  },
  {
    "op": "add",
    "path": "/another_tenant",
    "value": {
      "description": "Another description."
    }
  }
]

Sample response

{
  "status": "OK",
  "message": "Resource updated."
}

Configuration

Get configuration

Retrieves the current security plugin configuration in JSON format.

Request

GET _opendistro/_security/api/securityconfig

Update configuration

Creates or updates the existing configuration using the REST API. This operation can easily break your existing configuration, so we recommend using securityadmin.sh instead, which is far safer. See Access control for the API for how to enable this operation.

Request

PUT _opendistro/_security/api/securityconfig/config
{
  "dynamic": {
    "filtered_alias_mode": "warn",
    "disable_rest_auth": false,
    "disable_intertransport_auth": false,
    "respect_request_indices_options": false,
    "kibana": {
      "multitenancy_enabled": true,
      "server_username": "kibanaserver",
      "index": ".kibana"
    },
    "http": {
      "anonymous_auth_enabled": false
    },
    "authc": {
      "basic_internal_auth_domain": {
        "http_enabled": true,
        "transport_enabled": true,
        "order": 0,
        "http_authenticator": {
          "challenge": true,
          "type": "basic",
          "config": {}
        },
        "authentication_backend": {
          "type": "intern",
          "config": {}
        },
        "description": "Authenticate via HTTP Basic against internal users database"
      }
    },
    "auth_failure_listeners": {},
    "do_not_fail_on_forbidden": false,
    "multi_rolespan_enabled": true,
    "hosts_resolver_mode": "ip-only",
    "do_not_fail_on_forbidden_empty": false
  }
}

Sample response

{
  "status": "OK",
  "message": "'config' updated."
}

Patch configuration

Updates the existing configuration using the REST API. This operation can easily break your existing configuration, so we recommend using securityadmin.sh instead, which is far safer. See Access control for the API for how to enable this operation.

Request

PATCH _opendistro/_security/api/securityconfig
[
  {
    "op": "replace", "path": "/config/dynamic/authc/basic_internal_auth_domain/transport_enabled", "value": "true"
  }
]

Sample response

{
  "status": "OK",
  "message": "Resource updated."
}

Certificates

Get certificates

Retrieves the current security plugin configuration in JSON format.

Request

GET _opendistro/_security/api/securityconfig

Update configuration

Creates or updates the existing configuration using the REST API rather than securityadmin.sh. This operation can easily break your existing configuration, so we recommend using securityadmin.sh instead. See Access control for the API for how to enable this operation.

Request

PUT _opendistro/_security/api/securityconfig/config
{
  "dynamic": {
    "filtered_alias_mode": "warn",
    "disable_rest_auth": false,
    "disable_intertransport_auth": false,
    "respect_request_indices_options": false,
    "kibana": {
      "multitenancy_enabled": true,
      "server_username": "kibanaserver",
      "index": ".kibana"
    },
    "http": {
      "anonymous_auth_enabled": false
    },
    "authc": {
      "basic_internal_auth_domain": {
        "http_enabled": true,
        "transport_enabled": true,
        "order": 0,
        "http_authenticator": {
          "challenge": true,
          "type": "basic",
          "config": {}
        },
        "authentication_backend": {
          "type": "intern",
          "config": {}
        },
        "description": "Authenticate via HTTP Basic against internal users database"
      }
    },
    "auth_failure_listeners": {},
    "do_not_fail_on_forbidden": false,
    "multi_rolespan_enabled": true,
    "hosts_resolver_mode": "ip-only",
    "do_not_fail_on_forbidden_empty": false
  }
}

Sample response

{
  "status": "OK",
  "message": "'config' updated."
}

Patch configuration

Updates the existing configuration using the REST API rather than securityadmin.sh. This operation can easily break your existing configuration, so we recommend using securityadmin.sh instead. See Access control for the API for how to enable this operation.

Request

PATCH _opendistro/_security/api/securityconfig
[
  {
    "op": "replace", "path": "/config/dynamic/authc/basic_internal_auth_domain/transport_enabled", "value": "true"
  }
]

Sample response

{
  "status": "OK",
  "message": "Resource updated."
}

Cache

Flush cache

Flushes the security plugin user, authentication, and authorization cache.

Request

DELETE _opendistro/_security/api/cache

Sample response

{
  "status": "OK",
  "message": "Cache flushed successfully."
}

Health

Health check

Checks to see if the security plugin is up and running. If you operate your cluster behind a load balancer, this operation is useful for determining node health and doesn’t require a signed request.

Request

GET _opendistro/_security/health

Sample response

{
  "message": null,
  "mode": "strict",
  "status": "UP"
}