From 756cc757d54ff63a76ff411c191d741535637670 Mon Sep 17 00:00:00 2001 From: Lee Hinman Date: Tue, 25 Jun 2019 16:14:11 -0600 Subject: [PATCH 1/2] Add a note mentioning the privileges needed for SLM This adds a note to the top of the "getting started with SLM" documentation mentioning that there are two built-in privileges to assist with creating roles for SLM users and administrators. Relates to #38461 --- .../ilm/getting-started-slm.asciidoc | 47 ++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/docs/reference/ilm/getting-started-slm.asciidoc b/docs/reference/ilm/getting-started-slm.asciidoc index d76164de56fc6..eee6d1ce2b7ea 100644 --- a/docs/reference/ilm/getting-started-slm.asciidoc +++ b/docs/reference/ilm/getting-started-slm.asciidoc @@ -8,6 +8,51 @@ hands-on scenario. The goal of this example is to automatically back up {es} indices using the <> every day at a particular time. +[float] +[[slm-and-security]] +=== Security and SLM +Before starting, it's important to understand the privileges that are needed +when configuring SLM if you are using the security plugin. There are two +built-in cluster privileges that can be used to assist: `manage_slm` and +`read_slm`. + +An example of configuring an administrator role for SLM follows: + +[source,js] +----------------------------------- +POST /_security/role/slm-admin +{ + "cluster": ["manage_slm", "create_snapshot"], + "indices": [ + { + "names": [".slm-history-*"], + "privileges": ["all"] + } + ] +} +----------------------------------- +// CONSOLE +// TEST[skip:security is not enabled here] + +Or, for a read-only role that can retrieve policies (but not update, execute, or +delete them), as well as only view the history index: + +[source,js] +----------------------------------- +POST /_security/role/slm-read-only +{ + "cluster": ["read_slm"], + "indices": [ + { + "names": [".slm-history-*"], + "privileges": ["read"] + } + ] +} +----------------------------------- +// CONSOLE +// TEST[skip:security is not enabled here] + [float] [[slm-gs-create-policy]] === Setting up a repository @@ -166,4 +211,4 @@ by searching the index pattern `.slm-history*`. That's it! We have our first SLM policy set up to periodically take snapshots so that our backups are always up to date. You can read more details in the <> and the -<> \ No newline at end of file +<> From a62ac139033502af8a466fa4ffda0d134c797c8b Mon Sep 17 00:00:00 2001 From: Lee Hinman Date: Tue, 2 Jul 2019 15:44:44 -0600 Subject: [PATCH 2/2] Mention that you can create snapshots for indices you can't read --- docs/reference/ilm/getting-started-slm.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/reference/ilm/getting-started-slm.asciidoc b/docs/reference/ilm/getting-started-slm.asciidoc index eee6d1ce2b7ea..5849101ffe6c3 100644 --- a/docs/reference/ilm/getting-started-slm.asciidoc +++ b/docs/reference/ilm/getting-started-slm.asciidoc @@ -14,7 +14,8 @@ time. Before starting, it's important to understand the privileges that are needed when configuring SLM if you are using the security plugin. There are two built-in cluster privileges that can be used to assist: `manage_slm` and -`read_slm`. +`read_slm`. It's also good to note that the `create_snapshot` permission +allows taking snapshots even for indices the role may not have access to. An example of configuring an administrator role for SLM follows: