Skip to content

User and role management

Estimated time to read: 7 minutes

EraSearch has role-based access control (RBAC) to let you manage users, roles, and permissions. This page gives a high-level overview of EraSearch's RBAC approach.

The content below is for users looking for conceptual information about EraSearch RBAC. Follow these links if you're ready to start working with RBAC now:

Note

As of May 2022, EraSearch on EraCloud offers RBAC only for EraCloud-specific features. Future EraCloud versions will support RBAC for all database features. To see what EraCloud RBAC offers now, visit the RBAC in EraCloud section.

RBAC overview

In EraSearch's RBAC approach:

  • Actors are assigned to roles.
  • Roles have one or more permissions.
  • Actors gain permissions by being part of roles.

The diagram below shows an example of how EraSearch RBAC works in practice.

In this example, there are two actors: a user and an API key. The user has two roles: Admin user and Limited writer. Through those roles, the user has the permissions to manage security across the database and write data to specific indexes.

The API key has one role – Limited writer – which lets the tool or agent using the API key write to specific indexes.

EraSearch RBAC overview diagram

RBAC terms

Now that you have a high-level view, here are some more formal definitions of EraSearch's RBAC terms.

actor

There are two kinds of actors in EraSearch: users and API keys. An RBAC user is someone whose identity has been authenticated by a third party. In EraSearch, users can have zero or more roles.

Tools and agents that cannot prove their identity (for example, Telegraf and Logstash) use API keys to work with EraSearch. API keys can have zero or one role.

permission

A permission is something you can do in EraSearch, and it's defined by its resource, action, and scope. EraSearch uses this syntax to express permissions: resource:action:scope.

Resource is the level at which a permission acts. EraSearch has two resources: index and database. Actors with index resource permissions can do things in one or more specific indexes. Actors with database resource permissions can do things impacting the entire database.

Actions map to specific endpoints in the EraSearch API. For the index resource, the available actions are read, write, and delete. For the database resource, the available actions are manage security and monitor.

Scopes are for index resource permissions only, and they limit where actors can do things. For example:

  • This permission lets actors write to all indexes: index:write:*.
  • This permission lets actors write to indexes starting with finance-: index:write:finance-*.

role

A role has one permission or a set of permissions, and roles are assigned to actors. Users with manage security permissions can create custom roles with one or more permissions.

How permissions map to endpoints

The table below lists permissions and how they map to EraSearch's API endpoints:

Resource Action API endpoint
Index Read GET /_alias
GET /_alias/{:aliases}
GET /_all/_alias
GET /_all/_aliases
GET /_cat/indices
GET /_cat/indices/{:index}
GET /_msearch
GET /_search/scroll
GET /{:index}/_alias
GET /{:index}/_aliases
GET /{:index}/_count
GET /{:index}/_flush
GET /{:index}/_mapping
GET /{:index}/_msearch
GET /{:index}/_search
GET /{:index}/_search/scroll
GET /{:index}/_settings
GET /{:index}/_stats
GET /{:index}/_stats/{:stats}
GET /{:index}/{:type}/_count
GET /{:index}/{:type}/_search
HEAD /_alias/{:aliases}
HEAD /_template/{:index}
HEAD /{:index}
POST /_msearch
POST /_search/scroll
POST /{:index}/_count
POST /{:index}/_msearch
POST /{:index}/_search
POST /{:index}/_search/scroll
POST /{:index}/{:type}/_count
POST /{:index}/{:type}/_search
GET /_license
GET /_xpack
Write POST /_aliases
POST /_bulk
POST /{:index}/_bulk
POST /{:index}/_flush
PUT /_template/{:index}
PUT /{:index}
PUT /{:index}/_mapping
GET /_license
GET /_xpack
Delete DELETE /{:index}
Database Manage security GET /api_keys
POST /api_keys
DELETE /api_keys/{id}
GET /role_mappings
POST /role_mappings
PUT /role_mappings
GET /roles
POST /roles
DELETE /roles/{roleId}
GET /roles/{roleId}
PUT /roles/{roleId}
Monitor GET /_cat/nodes
GET /_cluster/health/*
GET /_cluster/settings
GET /_cluster/state/metadata/*

RBAC in EraCloud

RBAC in EraCloud lets you manage users, roles, and permissions for EraCloud-specific features. You can use it to do the following:

  • Add users to EraCloud accounts.
  • Create and change EraCloud roles, and assign roles to users.
  • Remove users from EraCloud accounts.

Note

The current EraCloud version supports RBAC for EraCloud-specific features only. Future versions will support RBAC for the other database features mentioned on this page.

Accessing RBAC in EraCloud

You need the read:org or write:org permissions to view EraCloud's RBAC features.

To get to those features, go to your EraCloud account and click cog icon. The Settings page has two tabs for RBAC:

  • Users - Use this tab to view, invite, update, and remove EraCloud users.
  • Roles - Use this tab to create, edit, and delete EraCloud roles.

EraCloud roles and default roles

EraCloud has four default roles: admin, contributor, owner, and viewer. Every role lets users view data in EraCloud's search and alerting features. Some roles have extra permissions for managing users, roles, and EraCloud accounts.

Users can have only one role at a time. If the default roles don't meet your needs and you have the write:org permission, you can create custom roles in Settings > Roles.

Owner

✔ The owner role gives users all permissions.

The owner role lets users see data in EraCloud's search and alerting features. The role also comes with these permissions:

By default, EraCloud assigns the owner role to the account creator. EraCloud accounts can have several owners, and only owners can:

  • Add users to the owner role.
  • Remove users from the owner role.

Admin

✔ The admin role gives users nearly all permissions. This role is similar to the owner role.
𝗫 Users with the admin role can't close the EraCloud account or update billing information.

The admin role lets users see data in EraCloud's search and alerting features. The role also comes with these permissions:

The admin role doesn't include these permissions:

Users with the admin role also can't assign roles that include read:billing or write:billing.

Contributor

✔ The contributor role lets users access EraCloud and manage API keys.
𝗫 Users with the contributor role can't manage users or the EraCloud account.

The contributor role lets users see data in EraCloud's search and alerting features. The role also comes with this permission:

The contributor role doesn't include these permissions:

Viewer

✔ The viewer role lets users access EraCloud.
𝗫 Users with the viewer role can't manage users or the EraCloud account.

The viewer role lets users see data in EraCloud's search and alerting features. The role doesn't include these permissions:

EraCloud permissions

This section lists and defines EraCloud's RBAC permissions.

read:org

Users can view EraCloud users and roles.

write:org

Users with the write:org permission can do the following:

  • Invite new users to EraCloud.
  • Remove users from EraCloud.
  • Create, edit, and delete custom roles.
  • Assign users to roles.

write:api_key

Users can rotate the API key for authenticating with EraSearch.

read:billing

Users can view invoices and credit card information.

write:billing

Users can update the EraCloud account's credit card information.

Next

If you're using EraSearch on EraCloud, visit your EraCloud account and click cog icon to start working with RBAC.

If you're using self-hosted EraSearch, visit these guides to set up and start working with RBAC:

For more background information on EraSearch's RBAC approach, visit these articles:


Last update: December 5, 2022