Configure operator privilegesedit
This feature is designed for indirect use by Elasticsearch Service, Elastic Cloud Enterprise, and Elastic Cloud on Kubernetes. Direct use is not supported.
Before you can use operator privileges, you must enable the feature on all nodes in the cluster and designate operator users.
Enable operator privilegesedit
In order to use the operator privileges feature, it must be enabled explicitly
on each node in the cluster. Add the following setting in each
elasticsearch.yml
file:
xpack.security.operator_privileges.enabled: true
If the node is already running before you make this change, you must restart the node for the feature to take effect.
The feature needs to be either enabled or disabled consistently across all nodes in a cluster. Otherwise, you can get inconsistent behaviour depending on which node first receives a request and which node executes it.
When operator privileges are enabled on a cluster,
specific functionalities are restricted and can
be executed only by users who have been explicitly designated as operator users.
If a regular user attempts to execute these functionalities (even if they have
the superuser
role), a security exception occurs.
Designate operator usersedit
Operator users are just normal Elasticsearch users with special rights to perform
operator-only functionalities. They are specified in an operator_users.yml
file, which is located in the config directory (as defined by the ES_PATH_CONF
environment variable). Similar to
other security config files, the
operator_users.yml
file is local to a node and does not apply globally to the
cluster. This means, in most cases, the same file should be distributed or
copied to all nodes in a cluster.
The operator_users.yml
file defines a set of criteria that an authenticating
user must match to be considered as an operator user. The following snippet
shows an example of such a file:
A fixed value of |
|
A list of user names allowed for operator users. This field is mandatory. |
|
The type of the authenticating realm allowed for operator users. The default
and only acceptable value is |
|
The authentication type allowed for operator users. The default and only
acceptable value is |
You must specify at least the usernames
field. If no other fields are
specified, their default values are used. All fields must be matched for a user
to be qualified as an operator user. You can also specify multiple groups of
criteria. This is currently not very useful since this feature does not yet
support other realms or authentication types.
There are also two implicit rules that affect which users are operator users:
- If the authenticating user runs as another user, neither of them are considered to be operator users.
- All Internal users are implicitly operator users.
After a user is designated as an operator user, they are still
subject to regular RBAC user authorization checks. That is to
say, in addition to specifying that a user is an operator user, you must also
grant them the necessary Elasticsearch roles to perform their tasks. Consequently, it is
entirely possible that an operator user can encounter an "access denied" error
and fail to perform certain actions due to RBAC check failures. In short, an
operator user is not automatically a superuser
.