[DOCS] Adds read_ccr and manage_ccr privileges #149
Conversation
| @@ -62,6 +65,9 @@ who created or updated them. | |||
|
|
|||
| -- | |||
|
|
|||
| `read_ccr`:: | |||
| TBD | |||
There was a problem hiding this comment.
Roughly: This is a cluster privilege needed on a cluster holding leader indices to grant permissions to the user to read what indices are in the cluster, read leader index metadata, and check that the user has the appropriate privileges to follow leader indices (@martijnvg double check me here please).
There was a problem hiding this comment.
Thanks, @jasontedor , I've drafted descriptions for these.
| @@ -29,6 +29,9 @@ This includes snapshotting, updating settings, and rerouting. It also includes | |||
| obtaining snapshot and restore status. This privilege does not include the | |||
| ability to manage security. | |||
|
|
|||
| `manage_ccr`:: | |||
| TBD | |||
There was a problem hiding this comment.
Roughly: This is cluster privilege needed on a cluster holding following indices to grant permissions to manage following indices (e.g., pause, and resume) and manage auto-follow patterns (@martijnvg double check me here please).
| @@ -82,6 +92,10 @@ All `monitor` privileges plus index administration (aliases, analyze, cache clea | |||
| close, delete, exists, flush, mapping, open, force merge, refresh, settings, | |||
| search shards, templates, validate). | |||
|
|
|||
| `manage_follow_index`:: | |||
| All actions that are required to manage a follower index, which includes pausing | |||
There was a problem hiding this comment.
s/pausing and resuming/creating follow index, closing the index and unfollow the index.
Not that for pause and resume start the follow tasks and then read changes from leader shards and write changes into follower shards. For this write level index privilege is needed in follower index and read privilege is needed in leader index. The manage_ccr cluster level privilege is needed to start and stop shard follow tasks as part of resume and stop respectively.
There was a problem hiding this comment.
I would highlight that this is an index privilege required in the following cluster only, giving the ability on the index level to manage the lifecycle of follow indices.
There was a problem hiding this comment.
@martijnvg Other X-Pack API reference pages have an "Authorization" section in them, so I've drafted that content in elastic/elasticsearch#35557 based on your comments here. If it's useful, I can add that section to the other CCR API pages too.
| @@ -62,6 +67,11 @@ who created or updated them. | |||
|
|
|||
| -- | |||
|
|
|||
| `read_ccr`:: | |||
| All read only {ccr} operations, such as getting information about indices and | |||
There was a problem hiding this comment.
I would highlight that this cluster level privilege only needs to be configured in the leader cluster.
There was a problem hiding this comment.
Thanks, I've added that info in this PR.
| @@ -29,6 +29,11 @@ This includes snapshotting, updating settings, and rerouting. It also includes | |||
| obtaining snapshot and restore status. This privilege does not include the | |||
| ability to manage security. | |||
|
|
|||
| `manage_ccr`:: | |||
| All {ccr} operations related to managing follower indices and auto-follow | |||
There was a problem hiding this comment.
I would highlight that this cluster level privilege only needs to be configured in the follower cluster.
There was a problem hiding this comment.
Thanks, I've added that info too!
|
Backported to 6.x and 6.5 via 31bf97c |
Related to elastic/elasticsearch#35434
This PR documents the new read_ccr and manage_ccr cluster privileges.