Elasticsearch Understanding and Implementing Roles.yml in Elasticsearch

By Opster Team

Updated: Nov 7, 2023

| 3 min read

Quick Links

Overview

Elasticsearch provides a robust security model to manage how users interact with the data. One of the key components of this security model is the `roles.yml` file. This file is used to define roles and their associated permissions in Elasticsearch. In this article, we will delve into the details of `roles.yml`, its structure, and how to effectively implement it.

When to leverage roles.yml?

There are multiple ways to manage roles in Elasticsearch. The most user-friendly option is to use Kibana and access the role management UI through the “Stack Management / Security / Roles” menu. Another option to manage roles dynamically is to leverage the role management API.

The above two options allow you to manage user roles dynamically on a running cluster. There might be valid reasons why you need to also be able to manage roles through the physical `roles.yml` file located on each node of your cluster. For instance, you might want that certain roles with increased administrative privileges be only configurable by super users having physical access to your nodes. For this case, and this one only, you should consider configuring the `roles.yml` file.

If the same role name is configured in the `roles.yml` file and through the role management UI or API, the one in the former will override the latter. Also, roles that are defined in the `roles.yml` file cannot be edited or deleted through the UI or API. Finally, if you are running a multi-nodes cluster, you’ll need to apply the same changes to all `roles.yml` files on all nodes in order for the changes to take effect.

Now that you know in which circumstances the roles.yml file should and should not be used, let’s proceed with how to define roles through the `roles.yml` file.

Structure of roles.yml

The `roles.yml` file is a YAML file that contains definitions of roles and their associated permissions. Each role is defined by a name and a set of permissions. The permissions are grouped into clusters, indices, and run_as permissions.

Here is a basic structure of a role in `roles.yml`:

role_name:
  cluster: ["permission1", "permission2"]
  indices:
    - names: ["index1", "index2"]
      privileges: ["privilege1", "privilege2"]
  run_as: ["user1", "user2"]

In this structure, `role_name` is the name of the role, `cluster` is a list of cluster-level permissions, `indices` is a list of index-level permissions, and `run_as` is a list of users that the role can impersonate.

Implementing roles.yml

To implement `roles.yml`, you need to follow these steps:

1. Define the roles: Start by defining the roles and their associated permissions in the `roles.yml` file. Make sure to follow the structure outlined above and restart Elasticsearch when roles have been defined.

2. Assign the roles to users: Once the roles are defined and Elasticsearch has been restarted, you can assign them to users. This can be done in the `users_roles` file or through the `bin/elasticsearch-users` command-line utility. Moreover, it is also possible to assign file-based roles through the rule management UI or API.

3. Reload the users: Elasticsearch will scan the `users` and `users_roles` files for changes every five seconds..

Here is an example of how to implement `roles.yml`:

# roles.yml
admin:
  cluster: ["all"]
  indices:
    - names: ["*"]
      privileges: ["all"]
  run_as: ["*"]

user:
  cluster: ["monitor"]
  indices:
    - names: ["user_index"]
      privileges: ["read", "write"]
  run_as: []

In this example, we have defined two roles: `admin` and `user`. The `admin` role has all permissions on the cluster and all indices, and can impersonate any user. The `user` role, on the other hand, has `monitor` permission on the cluster and `read` and `write` permissions on the `user_index` index, and cannot impersonate any user.

After the roles have been defined, we can now assign them to users. Let’s say our `users` file contains a user named `john`. In order to assign the `admin` role to `john`, we can either modify the `users_roles` file directly or use the `bin/elasticsearch-users` command-line utility. Open the `users_roles` file and simply add a mapping between the user name and the role name, as shown below:

# users_role file
john:admin

If you prefer to go through the command-line utility, you can simply issue the following command that adds the `admin` role to the user `john`:

$> bin/elasticsearch-users roles john -a admin

You can also resort to the user management API and use the following command to add the `admin` role to the user `john`:

PUT /_security/user/john
{
  "roles" : [ "admin" ]
}

Best Practices

When working with `roles.yml`, it’s important to follow best practices to ensure the security and integrity of your Elasticsearch cluster

  • Least Privilege Principle: Assign the least amount of privileges necessary for a role to perform its function. This minimizes the potential damage in case of a security breach.
  • Regular Audits: Regularly audit your `roles.yml` file to ensure that the roles and permissions are up-to-date and relevant.
  • Secure the roles.yml file: Make sure that the `roles.yml` file is securely stored and only accessible by authorized personnel.

Conclusion

In conclusion, the `roles.yml` file is a powerful tool in managing user permissions in Elasticsearch. By understanding its structure and how to implement it, you can effectively manage the security of your Elasticsearch cluster. The `roles.yml` file should only be modified by admin users having elevated access privileges on your nodes in order to manage administrative-level roles. For any other use cases, you should prefer going through the role management UI or API.