ReadonlyREST API Documentation

damianelena · May 19, 2025, 3:22pm

Hi everyone,

I’m building an external management service for our Elasticsearch clusters using the ReadonlyREST Enterprise plugin (v1.60) on ES 8.6.2. Up until now we’ve been storing ROR groups, tenants and user bindings in MariaDB, but I’d like to simplify by querying ROR’s own REST API instead. I haven’t used the API yet, so I’m looking for guidance on how to:

List all existing entities (groups / tenants / users)
Retrieve a single group, tenant, or user by ID
Create a new group / tenant / user binding
Update an existing group / tenant / user
Delete any of the above
Fetch the full combined config

For each operation, could someone share:

HTTP method & path
Authentication requirements
Sample request body
Sample response body

My goal is to use ROR’s REST interface as the single source of truth—no more dual writes to MariaDB. Any pointers to official docs, code snippets, or example cURL/HTTPie commands would be hugely appreciated.

Thanks in advance!

coutoPL · May 19, 2025, 6:16pm

Hi @damianelena

It seems you are looking for this:

There is a link to OpenAPI where you can find examples too.

damianelena · May 20, 2025, 2:33pm

I’m trying to use the ReadonlyREST Enterprise REST API (as documented in the Swagger UI at api.beshu.tech) to fetch user–tenant mappings, but my GET /api/ror/user/tenants curl returns 404/401 errors—likely due to a path or auth mismatch. The official documentation confirms an authenticated Enterprise API for security settings but doesn’t list individual CRUD endpoints beyond the PUT config call. Even the GitHub docs repo lacks any /groups or /users endpoints descriptions. I need help nailing down the correct path, parameters, headers, and base URL.

What I’ve tried:
curl --location ‘https://my-kibana-domain/api/ror/user/tenants’
–header ‘Authorization: Basic ’

I tried adding kbn-xsrf: true, and calling /_readonlyrest/api/… on the ES — none succeeded.

Any pointers to official docs, known issues, or code snippets would be hugely appreciated!

Thank you!

coutoPL · May 20, 2025, 5:58pm

The API doesn’t have separate endpoints for managing groups or users because it’s ACL-based. Unlike RBAC, our ACL blocks aren’t necessarily tied to specific users or groups. That might change in the future, but so far none of our enterprise users have asked for it.

As for the curl you showed — the 401 error happened because no basic auth credentials were passed. Try something like:

curl -u ${USER}:${PASS} 'https://my-kibana-domain/api/ror/user/tenants'

Just make sure that ${USER} is actually authorized in the current ACL config. That means ES has to be started with an admin user already set up in the ROR ACL.

You can also use the API interactively via SwaggerUI, which is embedded in Kibana when ROR is installed. Go to “Edit security settings” → “API” tab. Pick an endpoint, click “Try it out”, fill in any required data, and hit “Execute”. See the video.

If you want a quick way to test things (when, e.g. you don’t have an ES+KBN+ROR cluster already bootstrapped), the ROR Sandbox might help — it runs a full setup in Docker.