Once the user has been successfully authenticated, the authorization process kicks in. Authorization determines whether the user behind the request has enough permissions to execute a particular request.

In X-Pack security, secured resources are the foundation of user-based security. A secured resource is a resource that needs access, such as indexes, documents, or fields, to perform Elasticsearch cluster operations. X-Pack security enables authorization by assigning permissions to roles that are assigned to users. A permission is one or more privileges against a secured resource. A privilege is a named group representing one or more actions that a user may execute against a secured resource. A user can have one or more roles, and the total set of permissions that a user has is defined as a union of the permissions in all its roles, as shown in the following diagram:

The X-Pack security module provides three types of privileges:

• Cluster privileges: Cluster privileges provide privileges for performing various operations on the cluster:
  • all: Allows you to execute cluster administration operations settings, as well as update, reroute, or manage users and roles
  • monitor: Allows you to execute all cluster read-only operations, such as fetching cluster health, cluster state, nodes' state, and more, for monitoring purposes
  • manage: This allows you to execute and perform cluster operations that can update the cluster, such as rerouting and updating cluster settings
• Index privileges: Index privileges provide privileges for performing various operations on indexes:
  • all: Allows you to execute any operation on an index
  • read: Allows you to execute read-only operations on an index, such as invoking search, get, suggest, and many more APIs
  • create_index: This privilege allows you to create a new index
  • create: This privilege allows you to index new documents into an index
• Run As privilege: This provides the ability to perform user impersonation; that is, it allows an authenticated user to test out another users' access rights without knowing their credentials.

• Node/client authentication and channel encryption: By encrypting the communication, X-Pack security prevents network-based attacks. It provides you with the ability to encrypt traffic to and from the Elasticsearch cluster to outside applications, as well as encrypt the communication between nodes in the cluster. To prevent unintended nodes from joining the cluster, you can configure the nodes to authenticate as they join the cluster using SSL certificates. X-Pack security IP filtering can prevent unintended application clients, node clients, or transport clients from joining the cluster.
• Auditing: Auditing allows you to capture suspicious activity in your cluster. You can enable auditing to keep track of security-related events, such as authentication failures and refused connections. Logging these events allows you to monitor the cluster for suspicious activity and provides evidence in the event of an attack.