Update Search Guard users/roles/groups

cf. https://github.com/floragunncom/search-guard/tree/master/sgconfig

elasticsearch/config/sg/sg_action_groups.yml

+UNLIMITED:
+  readonly: true
+  permissions:
+    - "*"
+
+###### INDEX LEVEL ######
+
+INDICES_ALL:
+  readonly: true
+  permissions:
+    - "indices:*"
+
+# for backward compatibility
 ALL:
-  - "indices:*"
+  readonly: true
+  permissions:
+    - INDICES_ALL
+
 MANAGE:
-  - "indices:monitor/*"
-  - "indices:admin/*"
+  readonly: true
+  permissions:
+    - "indices:monitor/*"
+    - "indices:admin/*"
+
 CREATE_INDEX:
-  - "indices:admin/create"
-  - "indices:admin/mapping/put"
+  readonly: true
+  permissions:
+    - "indices:admin/create"
+    - "indices:admin/mapping/put"
+
 MANAGE_ALIASES:
-  - "indices:admin/aliases*"
+  readonly: true
+  permissions:
+    - "indices:admin/aliases*"
+
+# for backward compatibility
 MONITOR:
-  - "indices:monitor/*"
+  readonly: true
+  permissions:
+    - INDICES_MONITOR
+
+INDICES_MONITOR:
+  readonly: true
+  permissions:
+    - "indices:monitor/*"
+
 DATA_ACCESS:
-  - "indices:data/*"
-  - "indices:admin/mapping/put"
+  readonly: true
+  permissions:
+    - "indices:data/*"
+    - CRUD
+
 WRITE:
-  - "indices:data/write*"
-  - "indices:admin/mapping/put"
+  readonly: true
+  permissions:
+    - "indices:data/write*"
+    - "indices:admin/mapping/put"
+
 READ:
-  - "indices:data/read*"
+  readonly: true
+  permissions:
+    - "indices:data/read*"
+    - "indices:admin/mappings/fields/get*"
+
 DELETE:
-  - "indices:data/write/delete*"
+  readonly: true
+  permissions:
+    - "indices:data/write/delete*"
+
 CRUD:
-  - READ
-  - WRITE
+  readonly: true
+  permissions:
+    - READ
+    - WRITE
+
 SEARCH:
-  - "indices:data/read/search*"
-  - "indices:data/read/msearch*"
-  - SUGGEST
+  readonly: true
+  permissions:
+    - "indices:data/read/search*"
+    - "indices:data/read/msearch*"
+    - SUGGEST
+
 SUGGEST:
-  - "indices:data/read/suggest*"
+  readonly: true
+  permissions:
+    - "indices:data/read/suggest*"
+
 INDEX:
-  - "indices:data/write/index*"
-  - "indices:data/write/update*"
-  - "indices:admin/mapping/put"
-  # no bulk index
+  readonly: true
+  permissions:
+    - "indices:data/write/index*"
+    - "indices:data/write/update*"
+    - "indices:admin/mapping/put"
+    - "indices:data/write/bulk*"
+
 GET:
-  - "indices:data/read/get*"
-  - "indices:data/read/mget*"
+  readonly: true
+  permissions:
+    - "indices:data/read/get*"
+    - "indices:data/read/mget*"
+
+###### CLUSTER LEVEL ######
 
-# CLUSTER
 CLUSTER_ALL:
-  - cluster:*
+  readonly: true
+  permissions:
+    - "cluster:*"
+
 CLUSTER_MONITOR:
-  - cluster:monitor/*
+  readonly: true
+  permissions:
+    - "cluster:monitor/*"
+
 CLUSTER_COMPOSITE_OPS_RO:
-  - "indices:data/read/mget"
-  - "indices:data/read/msearch"
-  - "indices:data/read/mtv"
-  - "indices:data/read/coordinate-msearch*"
-  - "indices:admin/aliases/exists*"
-  - "indices:admin/aliases/get*"
+  readonly: true
+  permissions:
+    - "indices:data/read/mget"
+    - "indices:data/read/msearch"
+    - "indices:data/read/mtv"
+    - "indices:data/read/coordinate-msearch*"
+    - "indices:admin/aliases/exists*"
+    - "indices:admin/aliases/get*"
+    - "indices:data/read/scroll"
+
 CLUSTER_COMPOSITE_OPS:
-  - "indices:data/write/bulk"
-  - "indices:admin/aliases*"
-  - CLUSTER_COMPOSITE_OPS_RO
- 
\ No newline at end of file
+  readonly: true
+  permissions:
+    - "indices:data/write/bulk"
+    - "indices:admin/aliases*"
+    - CLUSTER_COMPOSITE_OPS_RO
+
+MANAGE_SNAPSHOTS:
+  readonly: true
+  permissions:
+    - "cluster:admin/snapshot/*"
+    - "cluster:admin/repository/*"

elasticsearch/config/sg/sg_internal_users.yml

+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+#password is: admin
 admin:
+  readonly: true
   hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG
-  #password is: admin
+  roles:
+    - admin
+
+#password is: logstash
 logstash:
+  readonly: true
   hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2
-  #password is: logstash
+  roles:
+    - logstash
+
+#password is: kibanaserver
 kibanaserver:
+  readonly: true
   hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.
-  #password is: kibanaserver
+
+#password is: kibanaro
 kibanaro:
+  readonly: true
   hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC
-  #password is: kibanaro
+  roles:
+    - kibanauser
+    - readall
+
+#password is: readall
+readall:
+  hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2
+  #password is: readall
+  roles:
+    - readall
+
+#password is: snapshotrestore
+snapshotrestore:
+  hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W
+  roles:
+    - snapshotrestore

elasticsearch/config/sg/sg_roles.yml

+# Allows everything, but no changes to searchguard configuration index
 sg_all_access:
+  readonly: true
   cluster:
-    - '*'
+    - UNLIMITED
   indices:
     '*':
       '*':
-        - '*'
+        - UNLIMITED
+  tenants:
+    admin_tenant: RW
 
-sg_kibana:
+# Read all, but no write permissions
+sg_readall:
+  readonly: true
   cluster:
     - CLUSTER_COMPOSITE_OPS_RO
+  indices:
+    '*':
+      '*':
+        - READ
+
+# Read all and monitor, but no write permissions
+sg_readall_and_monitor:
+  cluster:
     - CLUSTER_MONITOR
+    - CLUSTER_COMPOSITE_OPS_RO
   indices:
     '*':
       '*':
         - READ
-        - indices:admin/mappings/fields/get*
+
+# For users which use kibana, access to indices must be granted separately
+sg_kibana_user:
+  readonly: true
+  cluster:
+    - MONITOR
+    - CLUSTER_COMPOSITE_OPS_RO
+  indices:
     '?kibana':
       '*':
+        - MANAGE
+        - INDEX
         - READ
-        - WRITE
-        - 'indices:admin/mappings/fields/get*'
-        - 'indices:admin/refresh*'
+        - DELETE
+    '*':
+      '*':
+        - indices:data/read/field_caps
 
+# For the kibana server
 sg_kibana_server:
+  readonly: true
   cluster:
       - CLUSTER_MONITOR
       - CLUSTER_COMPOSITE_OPS
+      - cluster:admin/xpack/monitoring*
+      - indices:admin/template*
   indices:
     '?kibana':
       '*':
-        - ALL
+        - INDICES_ALL
+    '?reporting*':
+      '*':
+        - INDICES_ALL
+    '?monitoring*':
+      '*':
+        - INDICES_ALL
 
+# For logstash and beats
 sg_logstash:
+  readonly: true
   cluster:
-    - indices:admin/template/get
-    - indices:admin/template/put
     - CLUSTER_MONITOR
     - CLUSTER_COMPOSITE_OPS
+    - indices:admin/template/get
+    - indices:admin/template/put
   indices:
     'logstash-*':
       '*':
         - CRUD
         - CREATE_INDEX
+    '*beat*':
+      '*':
+        - CRUD
+        - CREATE_INDEX
+
+# Allows adding and modifying repositories and creating and restoring snapshots
+sg_manage_snapshots:
+  readonly: true
+  cluster:
+    - MANAGE_SNAPSHOTS
+  indices:
+    '*':
+      '*':
+        - "indices:data/write/index"
+        - "indices:admin/create"
+
+# Allows each user to access own named index
+sg_own_index:
+  cluster:
+    - CLUSTER_COMPOSITE_OPS
+  indices:
+    '${user_name}':
+      '*':
+        - INDICES_ALL

elasticsearch/config/sg/sg_roles_mapping.yml

+# In this file users, backendroles and hosts can be mapped to Search Guard roles.
+# Permissions for Search Guard roles are configured in sg_roles.yml
+
+sg_all_access:
+  readonly: true
+  backendroles:
+    - admin
+
 sg_logstash:
-  users:
+  backendroles:
     - logstash
 
 sg_kibana_server:
+  readonly: true
   users:
     - kibanaserver
 
-sg_kibana:
-  users:
-    - kibanaro
+sg_kibana_user:
+  backendroles:
+    - kibanauser
 
-sg_all_access:
+sg_readall:
+  readonly: true
+  backendroles:
+    - readall
+
+sg_manage_snapshots:
+  readonly: true
+  backendroles:
+    - snapshotrestore
+
+sg_own_index:
   users:
-    - admin
+    - '*'