Skip to content

Add ILM-specific security privileges#36493

Merged
talevy merged 3 commits intoelastic:masterfrom
talevy:ilm-manage
Dec 13, 2018
Merged

Add ILM-specific security privileges#36493
talevy merged 3 commits intoelastic:masterfrom
talevy:ilm-manage

Conversation

@talevy
Copy link
Copy Markdown
Contributor

@talevy talevy commented Dec 11, 2018
edited
Loading

adds ILM-specific security privileges to fine-tune control of how users set and retrieve
ILM data.

Cluster Privileges:

  • manage_ilm: permissions for all cluster:admin/ilm/* actions
  • read_ilm: permissions for getting ILM Status, and Policies

Index Privileges:

  • adds the Explain API to the view_index_metadata privilege

One thing to note is that the permissions of the user setting a policy are used when
running policy actions. This means that the user with manage_ilm permissions that
created the policy should also have manage index privileges on those indices being
managed with that policy.

@talevy talevy added WIP :Data Management/ILM+SLM DO NOT USE. Use ":StorageEngine/ILM" or ":Distributed Coordination/SLM" instead. labels Dec 11, 2018
@elasticmachine
Copy link
Copy Markdown
Collaborator

elasticmachine commented Dec 11, 2018

Pinging @elastic/es-core-features

@talevy talevy force-pushed the ilm-manage branch 2 times, most recently from 38199f8 to 7b4c0d5 Compare December 11, 2018 21:26
@talevy
add read_ilm cluster privilege
6cae7e5 
Although managing ILM policies is best done using the
"manage" cluster privilege, it is useful to have read-only
views.

* adds `read_ilm` cluster privilege for viewing policies and status
* adds Explain API to the `view_index_metadata` index privilege
@talevy talevy changed the title add manage_ilm cluster privileges Add ILM-specific security privileges Dec 11, 2018
colings86
colings86 suggested changes Dec 12, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@colings86 colings86 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whilst these changes are ok and the extra privileges may be useful what we need most is a manage_ilm privilege which grants access to the CRUD policy ILM APIs as well as the start and stop APIs (basically the ILM equivalent of the manage_ccr privilege). This enables users to grant e.g. the user that sets up Beats this manage_ilm privilege instead of having to grant it the cluster manage privilege which will give it more control of the cluster than it needs.

The user will also need to grant the user that sets up the policy index privileges so the policy can run with the permissions needed to execute all the actions but index privileges already exist to allow this to do done.

@talevy talevy removed the WIP label Dec 13, 2018
@talevy
Copy link
Copy Markdown
Contributor Author

talevy commented Dec 13, 2018

thanks @colings86, I've updated. I think Docs can be done in separate PRs against ES and the Stack Docs repos.

@talevy talevy requested a review from colings86 December 13, 2018 06:55
@talevy talevy merged commit e3cf642 into elastic:master Dec 13, 2018
@talevy talevy deleted the ilm-manage branch December 13, 2018 16:11
talevy added a commit that referenced this pull request Dec 13, 2018
@talevy
Add ILM-specific security privileges (#36493)
89469aa 
* add read_ilm cluster privilege

Although managing ILM policies is best done using the
"manage" cluster privilege, it is useful to have read-only
views.

* adds `read_ilm` cluster privilege for viewing policies and status
* adds Explain API to the `view_index_metadata` index privilege

* add manage_ilm privileges
@talevy talevy mentioned this pull request Dec 13, 2018
Closed
jasontedor added a commit to jasontedor/elasticsearch that referenced this pull request Dec 13, 2018
@jasontedor
Merge remote-tracking branch 'elastic/master' into ccr-logstash-template
b7a26c7 
* elastic/master:
  Remove deprecated `useDisMax` from MultiMatchQuery (elastic#36488)
  HLRC: Add get users action (elastic#36332)
  fix MultiValuesSourceFieldConfig toXContent (elastic#36525)
  Add ILM-specific security privileges (elastic#36493)
  Remove usages of `MockTcpTransport` from zen tests (elastic#36579)
This was referenced Dec 18, 2018
Merged
Merged
Merged
talevy added a commit to elastic/kibana that referenced this pull request Dec 20, 2018
@talevy
Add ILM privileges (#27461)
88aa143 
This commit adds the `manage_ilm`, `read_ilm` cluster
privileges, and the `manage_ilm` index privilege.

these were introduced into ES by:
elastic/elasticsearch#36493
talevy added a commit to elastic/kibana that referenced this pull request Dec 20, 2018
@talevy
Add ILM privileges (#27461)
c7dacec 
This commit adds the `manage_ilm`, `read_ilm` cluster
privileges, and the `manage_ilm` index privilege.

these were introduced into ES by:
elastic/elasticsearch#36493
@inqueue inqueue mentioned this pull request May 7, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@colings86 colings86 colings86 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

:Data Management/ILM+SLM DO NOT USE. Use ":StorageEngine/ILM" or ":Distributed Coordination/SLM" instead.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@talevy @elasticmachine @colings86