Concept Flow - Role-based access control
User sends request
Check user role
Match role permissions
Allow or deny access
Return response
The system checks the user's role, matches permissions, then allows or denies access accordingly.
0
0
Role-based access control in Elasticsearch - Step-by-Step Execution
Execution Sample
Elasticsearch
POST /_security/role/my_role
{
"indices": [
{
"names": ["logs-*"],
"privileges": ["read"]
}
]
}Defines a role 'my_role' with read access to indices matching 'logs-*'.
Execution Table
| Step | Action | Input/Condition | Result | Next Step |
|---|---|---|---|---|
| 1 | Receive request | User requests access to 'logs-2024' | Request received | Check user role |
| 2 | Check user role | User has role 'my_role' | Role found: 'my_role' | Match role permissions |
| 3 | Match role permissions | Role 'my_role' allows read on 'logs-*' | Permission matches request | Allow or deny access |
| 4 | Allow or deny access | Permission allows read | Access granted | Return response |
| 5 | Return response | Access granted | Response sent: 200 OK | End |
💡 Access granted because user role permissions match the requested action.
Variable Tracker
| Variable | Start | After Step 2 | After Step 3 | Final |
|---|---|---|---|---|
| user_role | undefined | 'my_role' | 'my_role' | 'my_role' |
| requested_action | undefined | 'read logs-2024' | 'read logs-2024' | 'read logs-2024' |
| permission_match | false | false | true | true |
| access_granted | false | false | false | true |
Key Moments - 2 Insights
Why does the system check the user role before permissions?
Because permissions are linked to roles, the system must first identify the user's role to know which permissions to check, as shown in step 2 of the execution table.
What happens if the requested action does not match role permissions?
The system denies access and does not proceed to allow access, stopping the flow before step 4, as the permission_match would be false.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the user_role value after step 2?
💡 Hint
Check the variable_tracker table under 'user_role' after Step 2.
At which step does the system confirm permission matches the requested action?
💡 Hint
Look at the 'Match role permissions' action in the execution_table.
If the user role did not have read permission, what would happen at step 4?
💡 Hint
Refer to the key moment about permission mismatch and the execution flow at step 4.
Concept Snapshot
Role-based access control (RBAC) in Elasticsearch: - Define roles with specific permissions. - Assign roles to users. - When a user requests access, Elasticsearch checks the user's role. - Permissions linked to the role determine if access is allowed. - Access is granted or denied based on matching permissions.
Full Transcript
Role-based access control in Elasticsearch works by checking the user's role when a request is made. The system looks up the role assigned to the user, then checks if the role's permissions allow the requested action. If permissions match, access is granted; otherwise, it is denied. This process ensures users only access what their roles permit.