Authentication, authorization, user management, API keys, roles, and SSL certificate operations for securing Elasticsearch clusters and controlling access to resources.
Create and manage users with authentication credentials and role assignments.
/**
* Create or update user
* @param params - User creation parameters
* @returns Promise with user creation result
*/
function putUser(params: {
/** Username */
username: Username;
/** User password (if using native realm) */
password?: Password;
/** User roles */
roles: string[];
/** Full name */
full_name?: string;
/** Email address */
email?: string;
/** User metadata */
metadata?: Record<string, any>;
/** Enabled status */
enabled?: boolean;
/** Password hash (alternative to password) */
password_hash?: string;
/** Refresh policy */
refresh?: Refresh;
}): Promise<TransportResult<SecurityPutUserResponse, unknown>>;
/**
* Get user information
* @param params - User retrieval parameters
* @returns Promise with user information
*/
function getUser(params?: {
/** Username or pattern */
username?: Username[];
/** With profile UID */
with_profile_uid?: boolean;
}): Promise<TransportResult<SecurityGetUserResponse, unknown>>;
/**
* Delete user
* @param params - User deletion parameters
* @returns Promise with deletion result
*/
function deleteUser(params: {
/** Username */
username: Username;
/** Refresh policy */
refresh?: Refresh;
}): Promise<TransportResult<SecurityDeleteUserResponse, unknown>>;
/**
* Enable user
* @param params - User enable parameters
* @returns Promise with enable result
*/
function enableUser(params: {
/** Username */
username: Username;
/** Refresh policy */
refresh?: Refresh;
}): Promise<TransportResult<SecurityEnableUserResponse, unknown>>;
/**
* Disable user
* @param params - User disable parameters
* @returns Promise with disable result
*/
function disableUser(params: {
/** Username */
username: Username;
/** Refresh policy */
refresh?: Refresh;
}): Promise<TransportResult<SecurityDisableUserResponse, unknown>>;
/**
* Change user password
* @param params - Password change parameters
* @returns Promise with password change result
*/
function changePassword(params: {
/** Username */
username?: Username;
/** New password */
password: Password;
/** Password hash */
password_hash?: string;
/** Refresh policy */
refresh?: Refresh;
}): Promise<TransportResult<SecurityChangePasswordResponse, unknown>>;
type Username = string;
type Password = string;
type Refresh = boolean | 'wait_for' | 'false' | 'true';Usage Examples:
// Create new user
await client.security.putUser({
username: "john_doe",
password: "secure_password123",
roles: ["kibana_admin", "monitoring_user"],
full_name: "John Doe",
email: "john.doe@company.com",
metadata: {
department: "engineering",
hire_date: "2024-01-15"
}
});
// Get user information
const user = await client.security.getUser({
username: ["john_doe"]
});
// Change user password
await client.security.changePassword({
username: "john_doe",
password: "new_secure_password456"
});
// Disable user temporarily
await client.security.disableUser({
username: "john_doe"
});Define and manage roles with specific privileges and permissions.
/**
* Create or update role
* @param params - Role creation parameters
* @returns Promise with role creation result
*/
function putRole(params: {
/** Role name */
name: Name;
/** Cluster privileges */
cluster?: ClusterPrivileges;
/** Index privileges */
indices?: SecurityIndicesPrivileges[];
/** Application privileges */
applications?: SecurityApplicationPrivileges[];
/** Run as privileges */
run_as?: string[];
/** Role metadata */
metadata?: Record<string, any>;
/** Global privileges */
global?: Record<string, any>;
/** Transient metadata */
transient_metadata?: Record<string, any>;
/** Remote indices privileges */
remote_indices?: SecurityRemoteIndicesPrivileges[];
/** Remote cluster privileges */
remote_cluster?: string[];
/** Restriction for role */
restriction?: SecurityRoleRestriction;
/** Description */
description?: string;
/** Refresh policy */
refresh?: Refresh;
}): Promise<TransportResult<SecurityPutRoleResponse, unknown>>;
/**
* Get role information
* @param params - Role retrieval parameters
* @returns Promise with role information
*/
function getRole(params?: {
/** Role name */
name?: Name[];
}): Promise<TransportResult<SecurityGetRoleResponse, unknown>>;
/**
* Delete role
* @param params - Role deletion parameters
* @returns Promise with deletion result
*/
function deleteRole(params: {
/** Role name */
name: Name;
/** Refresh policy */
refresh?: Refresh;
}): Promise<TransportResult<SecurityDeleteRoleResponse, unknown>>;
interface SecurityIndicesPrivileges {
/** Index names or patterns */
names: Indices;
/** Privileges */
privileges: IndexPrivileges;
/** Field security */
field_security?: SecurityFieldSecurity;
/** Document level security query */
query?: string | QueryDslQueryContainer;
/** Allow restricted indices */
allow_restricted_indices?: boolean;
}
interface SecurityApplicationPrivileges {
/** Application name */
application: string;
/** Privileges */
privileges: string[];
/** Resources */
resources: string[];
}
type ClusterPrivileges = string[];
type IndexPrivileges = string[];
type Indices = string | string[];
type Name = string;Usage Examples:
// Create custom role with specific privileges
await client.security.putRole({
name: "logs_analyst",
cluster: ["monitor", "manage_index_templates"],
indices: [
{
names: ["logs-*", "metrics-*"],
privileges: ["read", "view_index_metadata"],
field_security: {
grant: ["@timestamp", "message", "level", "service"],
except: ["sensitive_data"]
},
query: {
bool: {
must_not: {
term: { "level": "DEBUG" }
}
}
}
}
],
applications: [
{
application: "kibana-.kibana",
privileges: ["feature_logs.read"],
resources: ["space:default"]
}
]
});
// Get role details
const role = await client.security.getRole({
name: ["logs_analyst"]
});Create and manage API keys for programmatic access to Elasticsearch.
/**
* Create API key
* @param params - API key creation parameters
* @returns Promise with API key creation result
*/
function createApiKey(params?: {
/** API key name */
name?: Name;
/** Key expiration */
expiration?: Duration;
/** Role descriptors */
role_descriptors?: Record<string, SecurityRoleDescriptor>;
/** Metadata */
metadata?: Record<string, any>;
/** Refresh policy */
refresh?: Refresh;
}): Promise<TransportResult<SecurityCreateApiKeyResponse, unknown>>;
/**
* Get API key information
* @param params - API key retrieval parameters
* @returns Promise with API key information
*/
function getApiKey(params?: {
/** API key ID */
id?: Id;
/** API key name */
name?: Name;
/** Username */
username?: Username;
/** Realm name */
realm_name?: Name;
/** Owner flag */
owner?: boolean;
/** With limited by flag */
with_limited_by?: boolean;
/** Active only */
active_only?: boolean;
/** With profile UID */
with_profile_uid?: boolean;
}): Promise<TransportResult<SecurityGetApiKeyResponse, unknown>>;
/**
* Invalidate API key
* @param params - API key invalidation parameters
* @returns Promise with invalidation result
*/
function invalidateApiKey(params?: {
/** API key ID */
id?: Id;
/** API key IDs */
ids?: Id[];
/** API key name */
name?: Name;
/** Username */
username?: Username;
/** Realm name */
realm_name?: Name;
/** Owner flag */
owner?: boolean;
}): Promise<TransportResult<SecurityInvalidateApiKeyResponse, unknown>>;
/**
* Query API keys
* @param params - API key query parameters
* @returns Promise with query results
*/
function queryApiKeys(params?: {
/** Query DSL query */
query?: QueryDslQueryContainer;
/** Fields to aggregate */
aggregations?: Record<string, AggregationsAggregationContainer>;
/** Result from offset */
from?: number;
/** Result size */
size?: number;
/** Sort options */
sort?: SortCombinations[];
/** Search after */
search_after?: SortResults;
/** With limited by */
with_limited_by?: boolean;
/** With profile UID */
with_profile_uid?: boolean;
}): Promise<TransportResult<SecurityQueryApiKeysResponse, unknown>>;
interface SecurityCreateApiKeyResponse {
id: Id;
name: Name;
api_key: string;
encoded: string;
expiration?: number;
}
interface SecurityRoleDescriptor {
cluster?: ClusterPrivileges;
indices?: SecurityIndicesPrivileges[];
applications?: SecurityApplicationPrivileges[];
run_as?: string[];
metadata?: Record<string, any>;
transient_metadata?: Record<string, any>;
}
type Duration = string;
type Id = string;Usage Examples:
// Create API key with specific permissions
const apiKey = await client.security.createApiKey({
name: "monitoring-api-key",
expiration: "30d",
role_descriptors: {
monitoring_role: {
cluster: ["monitor"],
indices: [
{
names: ["metrics-*", "logs-*"],
privileges: ["read"]
}
]
}
},
metadata: {
purpose: "monitoring_dashboard",
created_by: "admin"
}
});
console.log(`API Key ID: ${apiKey.body.id}`);
console.log(`Encoded Key: ${apiKey.body.encoded}`);
// Query API keys
const apiKeys = await client.security.queryApiKeys({
query: {
bool: {
filter: [
{ range: { "creation_time": { gte: "now-30d" } } },
{ term: { "metadata.purpose": "monitoring_dashboard" } }
]
}
},
sort: [{ "creation_time": "desc" }],
size: 20
});
// Invalidate specific API key
await client.security.invalidateApiKey({
id: apiKey.body.id
});Manage service account tokens for service-to-service authentication.
/**
* Create service token
* @param params - Service token creation parameters
* @returns Promise with service token creation result
*/
function createServiceToken(params: {
/** Service namespace */
namespace: Namespace;
/** Service name */
service: ServiceName;
/** Token name */
name: Name;
/** Refresh policy */
refresh?: Refresh;
}): Promise<TransportResult<SecurityCreateServiceTokenResponse, unknown>>;
/**
* Get service credentials
* @param params - Service credentials parameters
* @returns Promise with service credentials
*/
function getServiceCredentials(params: {
/** Service namespace */
namespace: Namespace;
/** Service name */
service: ServiceName;
}): Promise<TransportResult<SecurityGetServiceCredentialsResponse, unknown>>;
/**
* Delete service token
* @param params - Service token deletion parameters
* @returns Promise with deletion result
*/
function deleteServiceToken(params: {
/** Service namespace */
namespace: Namespace;
/** Service name */
service: ServiceName;
/** Token name */
name: Name;
/** Refresh policy */
refresh?: Refresh;
}): Promise<TransportResult<SecurityDeleteServiceTokenResponse, unknown>>;
type Namespace = string;
type ServiceName = string;Usage Examples:
// Create service token
const serviceToken = await client.security.createServiceToken({
namespace: "elastic",
service: "kibana",
name: "token1"
});
// Get service credentials
const credentials = await client.security.getServiceCredentials({
namespace: "elastic",
service: "kibana"
});Map users from external realms to Elasticsearch roles.
/**
* Create role mapping
* @param params - Role mapping parameters
* @returns Promise with role mapping result
*/
function putRoleMapping(params: {
/** Mapping name */
name: Name;
/** Roles to assign */
roles: string[];
/** Role templates */
role_templates?: SecurityRoleTemplate[];
/** Mapping rules */
rules?: SecurityRoleMappingRule;
/** Enabled flag */
enabled?: boolean;
/** Metadata */
metadata?: Record<string, any>;
/** Refresh policy */
refresh?: Refresh;
}): Promise<TransportResult<SecurityPutRoleMappingResponse, unknown>>;
/**
* Get role mapping
* @param params - Role mapping retrieval parameters
* @returns Promise with role mapping information
*/
function getRoleMapping(params?: {
/** Mapping name */
name?: Name[];
}): Promise<TransportResult<SecurityGetRoleMappingResponse, unknown>>;
interface SecurityRoleTemplate {
template: SecurityRoleTemplateInlineScript;
format?: SecurityRoleTemplateFormat;
}
interface SecurityRoleMappingRule {
any?: SecurityRoleMappingRule[];
all?: SecurityRoleMappingRule[];
field?: Record<string, any>;
except?: SecurityRoleMappingRule;
}
type SecurityRoleTemplateFormat = 'string' | 'json';Usage Examples:
// Create role mapping for LDAP users
await client.security.putRoleMapping({
name: "ldap_admin_mapping",
roles: ["kibana_admin", "superuser"],
rules: {
all: [
{ field: { "realm.name": "ldap1" } },
{ field: { "groups": "cn=admins,dc=example,dc=com" } }
]
},
enabled: true,
metadata: {
version: 1,
source: "ldap_integration"
}
});Manage SSL certificates and TLS configuration.
/**
* Get SSL certificates
* @param params - Certificate retrieval parameters
* @returns Promise with certificate information
*/
function getSslCertificates(params?: {}): Promise<TransportResult<SecurityGetSslCertificatesResponse, unknown>>;
interface SecurityGetSslCertificatesResponse {
[key: string]: SecurityCertificate[];
}
interface SecurityCertificate {
path: string;
format: string;
alias?: string;
subject_dn: string;
serial_number: string;
has_private_key: boolean;
expiry: string;
}Usage Examples:
// Get SSL certificate information
const certificates = await client.security.getSslCertificates();
Object.entries(certificates.body).forEach(([node, certs]) => {
console.log(`Node: ${node}`);
certs.forEach(cert => {
console.log(` Certificate: ${cert.path}`);
console.log(` Subject: ${cert.subject_dn}`);
console.log(` Expires: ${cert.expiry}`);
});
});Check authentication status and user privileges.
/**
* Authenticate user
* @param params - Authentication parameters
* @returns Promise with authentication result
*/
function authenticate(params?: {}): Promise<TransportResult<SecurityAuthenticateResponse, unknown>>;
/**
* Check user privileges
* @param params - Privilege check parameters
* @returns Promise with privilege information
*/
function hasPrivileges(params?: {
/** User to check privileges for */
user?: Username;
/** Cluster privileges to check */
cluster?: ClusterPrivileges;
/** Index privileges to check */
index?: SecurityIndexPrivilegesCheck[];
/** Application privileges to check */
application?: SecurityApplicationPrivilegesCheck[];
}): Promise<TransportResult<SecurityHasPrivilegesResponse, unknown>>;
interface SecurityAuthenticateResponse {
username: string;
roles: string[];
full_name?: string;
email?: string;
metadata: Record<string, any>;
enabled: boolean;
authentication_realm: SecurityRealm;
lookup_realm: SecurityRealm;
authentication_type: string;
token?: SecurityTokenInfo;
}
interface SecurityIndexPrivilegesCheck {
names: Indices;
privileges: IndexPrivileges;
allow_restricted_indices?: boolean;
}
interface SecurityRealm {
name: string;
type: string;
}Usage Examples:
// Check current user authentication
const auth = await client.security.authenticate();
console.log(`Authenticated as: ${auth.body.username}`);
console.log(`Roles: ${auth.body.roles.join(', ')}`);
// Check specific privileges
const privileges = await client.security.hasPrivileges({
cluster: ["monitor", "manage_indices"],
index: [
{
names: ["logs-*"],
privileges: ["read", "write"]
}
]
});
if (privileges.body.has_all_requested) {
console.log("User has all required privileges");
} else {
console.log("Missing privileges:", privileges.body);
}interface SecurityFieldSecurity {
grant?: string[];
except?: string[];
}
interface QueryDslQueryContainer {
bool?: any;
term?: any;
range?: any;
// ... other query types
}
interface AggregationsAggregationContainer {
terms?: any;
date_histogram?: any;
// ... other aggregation types
}
interface SortCombinations {
[field: string]: 'asc' | 'desc' | { order: 'asc' | 'desc' };
}
type SortResults = any[];
interface SecurityRoleRestriction {
workflows?: string[];
}
interface SecurityRemoteIndicesPrivileges {
names: Indices;
privileges: IndexPrivileges;
clusters: string[];
field_security?: SecurityFieldSecurity;
query?: string | QueryDslQueryContainer;
allow_restricted_indices?: boolean;
}
interface SecurityRoleTemplateInlineScript {
source: string;
params?: Record<string, any>;
}
interface SecurityApplicationPrivilegesCheck {
application: string;
privileges: string[];
resources: string[];
}
interface SecurityTokenInfo {
name: string;
type: string;
}