Version: 7.x-36.0.0

This is a technical preview. Technical preview features are not fully supported, may not be functionally complete, and are not suitable for deployment in production. We encourage you to try them out and provide your feedback, good and bad, on the Search Guard forum. This will help us improve and add any features you might be missing.

Permissions

Access control to the Signals API is governed by Search Guard roles. Signals ships with action groups you can use to grant access to the Signals APIs.

Watch APIs

Action group name Description
SGS_SIGNALS_ALL Grants access to all Watch APIs
SGS_SIGNALS_WATCH_MANAGE Grants permission to manage watches. Includes create, read, write and delete operations, and execute, activate/deactivate and acknowledging watches.
SGS_SIGNALS_WATCH_READ Grants read-only access to all Watch APIs. Includes retrieving watches and search for watches, and excludes everything else.
SGS_SIGNALS_WATCH_EXECUTE Grants permissions to manually execute watches using the REST API.
SGS_SIGNALS_WATCH_ACTIVATE Grants permissions to activate and deactivate watches.
SGS_SIGNALS_WATCH_ACKNOWLEDGE Grants permissions to acknowledge watches.

Applying Watch permissions to roles

Permissions for the Watch API are assigned to roles in the tenant_permissions section of the role definition.

If you do not use the Search Guard multi tenancy feature, permissions are assigned to the default SGS_GLOBAL_TENANT.

sg_signals_manager:
  cluster_permissions:
    ...
  index_permissions:
    ...
  tenant_permissions:
    - tenant_patterns:
        - 'SGS_GLOBAL_TENANT'
      allowed_actions:
        - 'SGS_SIGNALS_WATCH_MANAGE'

If you are using multi tenancy, API permissions can also be configured per tenant:

sg_signals_multitenancy:
  cluster_permissions:
    ...
  index_permissions:
    ...
  tenant_permissions:
    - tenant_patterns:
        - 'tenant_1'
      allowed_actions:
        - 'SGS_SIGNALS_WATCH_MANAGE'
    - tenant_patterns:
        - 'tenant_2'
      allowed_actions:
        - 'SGS_SIGNALS_READ'

In the example above, a user with the sg_signals_multitenancy role has manage permissions for watches in tenant_1, and read only permissions for watches in tenant_2.

Account APIs

Accounts are managed globally, so permissions are assigned to Search Guard roles in the cluster_permissions section. Signals ships with the following action groups:

Action group name Description
SGS_SIGNALS_ACCOUNT_MANAGE Grants access to all Account APIs. Allows reading, searching, creating, updating and deleting accounts.
SGS_SIGNALS_ALL Equivalent to SGS_SIGNALS_ACCOUNT_MANAGE
SGS_SIGNALS_ACCOUNT_READ Grants read-only access to the Account APIs.

Applying Account permissions to roles

sg_account_manager:
  cluster_permissions:
    - SGS_SIGNALS_ACCOUNT_MANAGE
    - SGS_CLUSTER_COMPOSITE
  index_permissions:
    ...
  tenant_permissions:
    ...

Not what you were looking for? Try the search.