Elasticsearch Authz
Create and tune Elasticsearch users, roles, and role mappings via the Security API during cluster operations.
Overview
Elasticsearch Authorization is an agent skill most often used in Operate (also Ship) that references Security API patterns for Elasticsearch users, roles, and role mappings.
Install
npx skills add https://github.com/elastic/agent-skills --skill elasticsearch-authzWhat is this skill?
- Quick reference for Elasticsearch user, role, and role mapping APIs
- Documents PUT/POST /_security/user/{username} with password, roles, and metadata fields
- States manage_security cluster privilege requirement for user mutations
- Links to official Elastic API documentation for full request shapes
- Password rules: required on create, minimum six characters, or password_hash alternative
- New user passwords require at least 6 characters per documented rules
- User create/update uses PUT or POST /_security/user/{username}
Adoption & trust: 1.1k installs on skills.sh; 502 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are changing Elasticsearch access control and need the exact Security API endpoints, privileges, and request fields without misconfiguring production users.
Who is it for?
Indie operators and backend solo devs self-hosting or managing Elastic Cloud clusters who script or agent-drive RBAC changes.
Skip if: Builders with no Elasticsearch cluster yet who need a full authentication architecture course before any API calls.
When should I use this skill?
Implementing or changing Elasticsearch users, roles, or role mappings via the Security API in agent-assisted ops or backend work.
What do I get? / Deliverables
Your agent emits correct PUT/POST user payloads and privilege reminders aligned with Elastic’s documented Security API.
- Correct Security API request bodies for users and roles
- Privilege and field checklist aligned with Elastic docs links in the skill
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Operate infra because the skill documents day-two cluster security APIs for running Elasticsearch estates. Infra subphase matches native user CRUD, role definitions, and role mapping endpoints operators call after deployment.
Where it fits
Rotate a service account password and roles via PUT /_security/user after a leak.
Verify launch checklist includes least-privilege roles before exposing Kibana to customers.
Draft bootstrap scripts that create application users with the documented JSON shape.
How it compares
Elastic Security API cheat sheet for agents—not a full IAM product or generic OAuth implementation skill.
Common Questions / FAQ
Who is elasticsearch-authz for?
Solo builders and small ops teams maintaining Elasticsearch who want agent-accurate Security API calls for users, roles, and mappings.
When should I use elasticsearch-authz?
During Operate infra when provisioning or rotating native users, during Ship security reviews before launch, or whenever you automate role assignment against /_security endpoints.
Is elasticsearch-authz safe to install?
The skill encodes powerful cluster security operations; review the Security Audits panel on this Prism page, restrict agent access to production credentials, and test changes on non-production clusters first.
SKILL.md
READMESKILL.md - Elasticsearch Authz
# Elasticsearch Authorization API Reference Quick reference for the user, role, and role mapping APIs. For full documentation, see the linked Elastic docs. ## Users — Create or Update ```text PUT /_security/user/{username} POST /_security/user/{username} ``` Create a new native user or update an existing one. [Full documentation](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-put-user) ### Required privileges `manage_security` cluster privilege. ### Request body ```json { "password": "X9k#mP2vL!qR7wZn", "roles": ["role-a", "role-b"], "full_name": "Jane Doe", "email": "jane@example.com", "enabled": true, "metadata": {} } ``` | Field | Type | Description | | --------------- | ------------- | -------------------------------------------------------- | | `password` | string | Required for new users; at least 6 characters | | `password_hash` | string | Pre-hashed password (mutually exclusive with `password`) | | `roles` | array[string] | Roles to assign (required) | | `full_name` | string | Display name | | `email` | string | Email address | | `enabled` | boolean | Active status (default: `true`) | | `metadata` | object | Arbitrary metadata; keys with `_` prefix are reserved | ### Response | Field | Type | Description | | --------- | ---- | ---------------------------------------------- | | `created` | bool | `true` if new user; `false` if existing update | ## Users — Change Password ```text POST /_security/user/{username}/_password ``` ### Request body ```json { "password": "new-strong-password" } ``` ## Users — Enable / Disable ```text PUT /_security/user/{username}/_enable PUT /_security/user/{username}/_disable ``` ## Users — Get / Delete ```text GET /_security/user/{username} GET /_security/user DELETE /_security/user/{username} ``` ## Roles — Create or Update (Elasticsearch API) ```text PUT /_security/role/{name} POST /_security/role/{name} ``` Create or update a role. Default choice when the role only needs `cluster` and `indices` privileges. This API **cannot** set Kibana feature grants, space scoping, or base privileges — use the Kibana role API below when Kibana access is required. [Full documentation](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-put-role) ### Required privileges `manage_security` cluster privilege. ### Request body ```json { "description": "Logs Reader", "cluster": [], "indices": [ { "names": ["index-pattern-*"], "privileges": ["read", "view_index_metadata"], "field_security": { "grant": ["field1", "field2"] }, "query": "{\"term\": {\"department\": \"marketing\"}}" } ], "applications": [], "run_as": [], "metadata": {} } ``` | Field | Type | Description | | -------------------------- | ------------- | ----------------------------------------------------- | | `description` | string | Short display name shown in Kibana UI | | `cluster` | array[string] | Cluster privileges | | `indices` | array[object] | Index privilege entries | | `indices[].names` | array[string] | Index names or patterns | | `indices[].privileges` | array[string] | Named index privileges | | `indices[].field_security` | object | Field-level security grants and exceptions | | `indices[].query` | string | Document-level security query (Query DSL JSON st