Add Cluster-level Privilege for Managing Snapshot/Restore

[elasticmachine]

Original comment by @skearns64:

In LINK REDACTED we greatly simplified the permissions model (woo!). The permission sets we now support are great, but there is one use-case that isn't well met: allowing an ops user to only create and manage backups.

In traditional IT, this is a fairly common role, where one or more individuals in the IT group will manage the backups/snapshot/restore across many different types of systems. In our case, we wouldn't want that user to have complete access to manage the cluster.

This issue proposes adding a new privilege: manage_snapshot (or manage_backup?), which would include create snapshot, delete repository, delete snapshot, get repository (we need to figure out why it's not under monitoring), get snapshot, put repository, restore snapshot, snapshot status (should be monitoring?), and verify repository

[cmcconnell1]

Thanks for creating this issue.
We too want to define/create roles with as minimal access as possible.
In this case, specifically for automated snapshots only.

I've read the ES docs, but not seeing what I think we need:
ref: https://www.elastic.co/guide/en/x-pack/6.2/defining-roles.html
ref: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-roles.html

What I did find on search-guard (third party plugin) doc site makes sense to me:
ref: https://docs.search-guard.com/latest/snapshot-restore

Required permissions
A role definition in roles.yml which allows snapshot and restore operations on all indices looks like:

sg_snapshot_restore:
  cluster:
    - cluster:admin/repository/put
    - cluster:admin/repository/get
    - cluster:admin/snapshot/status
    - cluster:admin/snapshot/get
    - cluster:admin/snapshot/create
    - cluster:admin/snapshot/restore
    - cluster:admin/snapshot/delete
  indices:
    '*':
      '*':
        - indices:data/write/index
        - indices:admin/create

It would be ideal to have a documented official Elastic doc/procedure in which we could create roles (via yaml files as shown above, etc.) as needed.

On that note, similar to AWS IAM creds policy validator, it would be extremely helpful to have a method of determining all requisite cred's for specific access/commands, etc.

Thanks

[cmcconnell1]

Ran this by Elastic support and got the below validation / elastic API command and the reference to this issue.

Hopefully the below saves others some time as it wasn't clear to me what specific cred's and syntax were required for creating a snapshots user/role.

# create custom role allowing all creds/permissions for snapshots
POST /_xpack/security/role/manage_snapshots
{
  "cluster": [ "cluster:admin/repository/put","cluster:admin/repository/get","cluster:admin/snapshot/status","cluster:admin/snapshot/get","cluster:admin/snapshot/create","cluster:admin/snapshot/restore","cluster:admin/snapshot/delete"],
  "indices": [
    {
      "names": [ "*" ],
      "privileges": ["write","read","create"]
}
  ]
}

It would be very helpful to have requisite cred's like the above documented in the ES snapshot/roles docs.
I searched. but didn't find anything in the docs.

Thanks!

[albertzaharovits]

In 6.7 (#35820) we have added a cluster-level privilege named create_snapshot. In addition, we have also introduced a reserved role named snapshot_user. The cluster privilege grants permissions to create and view snapshots. The role packs together index privileges with the create_snapshot cluster privilege, such that the user can also view the indices it is snapshotting.

See also:
https://www.elastic.co/guide/en/elastic-stack-overview/current/built-in-roles.html
https://www.elastic.co/guide/en/elastic-stack-overview/current/security-privileges.html