Skip to content

[DOCS] Adds read_ccr and manage_ccr privileges #149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lcawl merged 4 commits into from
Nov 15, 2018
Merged

[DOCS] Adds read_ccr and manage_ccr privileges #149

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ec6d225
[DOCS] Adds read_ccr and manage_ccr privileges
lcawl Nov 13, 2018
e3bc667
[DOCS] Adds manage_follow_index privilege
lcawl Nov 13, 2018
7859d38
[DOCS] Adds details for CCR privileges
lcawl Nov 13, 2018
84efa9b
[DOCS] Augments privilege descriptions
lcawl Nov 14, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions docs/en/stack/security/authorization/privileges.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ This includes snapshotting, updating settings, and rerouting. It also includes
obtaining snapshot and restore status. This privilege does not include the
ability to manage security.

`manage_ccr`::
All {ccr} operations related to managing follower indices and auto-follow
Copy link
Member

@martijnvg martijnvg Nov 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would highlight that this cluster level privilege only needs to be configured in the follower cluster.

Copy link
Contributor Author

@lcawl lcawl Nov 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I've added that info too!

patterns. It also includes the authority to grant the privileges necessary to
manage follower indices and auto-follow patterns.

`manage_index_templates`::
All operations on index templates.

Expand Down Expand Up @@ -62,6 +67,11 @@ who created or updated them.

--

`read_ccr`::
All read only {ccr} operations, such as getting information about indices and
Copy link
Member

@martijnvg martijnvg Nov 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would highlight that this cluster level privilege only needs to be configured in the leader cluster.

Copy link
Contributor Author

@lcawl lcawl Nov 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I've added that info in this PR.

metadata for leader indices in the cluster. It also includes the authority to
check whether users have the appropriate privileges to follow leader indices.

`transport_client`::
All privileges necessary for a transport client to connect. Required by the remote
cluster to enable <<cross-cluster-configuring,Cross Cluster Search>>.
Expand All @@ -82,6 +92,10 @@ All `monitor` privileges plus index administration (aliases, analyze, cache clea
close, delete, exists, flush, mapping, open, force merge, refresh, settings,
search shards, templates, validate).

`manage_follow_index`::
All actions that are required to manage a follower index, which includes pausing
Copy link
Member

@martijnvg martijnvg Nov 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/pausing and resuming/creating follow index, closing the index and unfollow the index.

Not that for pause and resume start the follow tasks and then read changes from leader shards and write changes into follower shards. For this write level index privilege is needed in follower index and read privilege is needed in leader index. The manage_ccr cluster level privilege is needed to start and stop shard follow tasks as part of resume and stop respectively.

Copy link
Member

@martijnvg martijnvg Nov 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would highlight that this is an index privilege required in the following cluster only, giving the ability on the index level to manage the lifecycle of follow indices.

Copy link
Contributor Author

@lcawl lcawl Nov 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@martijnvg Other X-Pack API reference pages have an "Authorization" section in them, so I've drafted that content in elastic/elasticsearch#35557 based on your comments here. If it's useful, I can add that section to the other CCR API pages too.

Copy link
Member

@martijnvg martijnvg Nov 15, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 thanks!

and resuming {ccr}.

`view_index_metadata`::
Read-only access to index metadata (aliases, aliases exists, get index, exists, field mappings,
mappings, search shards, type exists, validate, warmers, settings). This
Expand Down