-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Cluster-level Privilege for Managing Snapshot/Restore #29725
Comments
Thanks for creating this issue. I've read the ES docs, but not seeing what I think we need: What I did find on search-guard (third party plugin) doc site makes sense to me:
It would be ideal to have a documented official Elastic doc/procedure in which we could create roles (via yaml files as shown above, etc.) as needed. On that note, similar to AWS IAM creds policy validator, it would be extremely helpful to have a method of determining all requisite cred's for specific access/commands, etc. Thanks |
Ran this by Elastic support and got the below validation / elastic API command and the reference to this issue. Hopefully the below saves others some time as it wasn't clear to me what specific cred's and syntax were required for creating a snapshots user/role.
It would be very helpful to have requisite cred's like the above documented in the ES snapshot/roles docs. Thanks! |
In 6.7 (#35820) we have added a cluster-level privilege named See also: |
Original comment by @skearns64:
In LINK REDACTED we greatly simplified the permissions model (woo!). The permission sets we now support are great, but there is one use-case that isn't well met: allowing an ops user to only create and manage backups.
In traditional IT, this is a fairly common role, where one or more individuals in the IT group will manage the backups/snapshot/restore across many different types of systems. In our case, we wouldn't want that user to have complete access to manage the cluster.
This issue proposes adding a new privilege:
manage_snapshot
(ormanage_backup
?), which would includecreate snapshot
,delete repository
,delete snapshot
,get repository
(we need to figure out why it's not under monitoring),get snapshot
,put repository
,restore snapshot
,snapshot status
(should be monitoring?), andverify repository
The text was updated successfully, but these errors were encountered: