This is an older version of Search Guard. Switch to Latest version
Roles mapping API
Used to receive, create, update and delete the mapping of users, backendroles and hosts to Search Guard roles.
Endpoint
/_searchguard/api/rolesmapping/{rolename}
Where rolename
is the name of the role.
GET
Get a single role mapping
GET /_searchguard/api/rolesmapping/{rolename}
Retrieve a role mapping, specified by rolename, in JSON format.
GET /_searchguard/api/rolesmapping/sg_role_starfleet
{
"sg_role_starfleet" : {
"backendroles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
"hosts" : [ "*.starfleetintranet.com" ],
"users" : [ "worf" ]
}
}
Get all role mappings
GET /_searchguard/api/rolesmapping
Returns all role mappings in JSON format.
DELETE
DELETE /_searchguard/api/rolesmapping/{rolename}
Deletes the rolemapping specified by rolename
. If successful, the call returns with status code 200 and a JSON success message.
DELETE /_searchguard/api/rolesmapping/sg_role_starfleet
{
"status":"OK",
"message":"rolesmapping sg_role_starfleet deleted."
}
PUT
PUT /_searchguard/api/rolesmapping/{rolename}
Replaces or creates the role mapping specified by rolename
.
PUT /_searchguard/api/rolesmapping/sg_role_starfleet
{
"backendroles" : [ "starfleet", "captains", "defectors", "cn=ldaprole,ou=groups,dc=example,dc=com" ],
"hosts" : [ "*.starfleetintranet.com" ],
"users" : [ "worf" ]
}
You need to specify at least one of backendroles
, hosts
or users
.
If the call is succesful, a JSON structure is returned, indicating whether the roles mapping was created or updated.
{
"status":"OK",
"message":"rolesmapping sg_role_starfleet created."
}
PATCH
The PATCH endpoint can be used to change individual attributes of a roles mapping, or to create, change and delete roles mappings in a bulk call. The PATCH endpoint expects a payload in JSON Patch format. Search Guard supports the complete JSON patch specification.
JSON patch specification: http://jsonpatch.com/
The PATCH endpoint is only available for Elasticsearch 6.4.0 and above.
Patch a roles mapping
PATCH /_searchguard/api/rolesmapping/{rolename}
Adds, deletes or changes one or more attributes of a user specified by rolename
.
PATCH /_searchguard/api/rolesmapping/sg_human_resources
[
{
"op": "replace", "path": "/users", "value": ["myuser"]
},
{
"op": "replace", "path": "/backendroles", "value": ["mybackendrole"]
}
]
Bulk add, delete and change roles mappings
PATCH /_searchguard/api/rolesmapping
[
{
"op": "add", "path": "/sg_human_resources", "value": { "users": ["user1"], "backendroles": ["backendrole2"] }
},
{
"op": "add", "path": "/sg_finance", "value": { "users": ["user2"], "backendroles": ["backendrole2"] }
},
{
"op": "remove", "path": "/sg_management"
}
]