OpenSearch/docs/reference/slm/slm-security.asciidoc

58 lines
1.8 KiB
Plaintext
Raw Normal View History

[[slm-and-security]]
=== Security and {slm-init}
Two built-in cluster privileges control access to the {slm-init} actions when
{es} {security-features} are enabled:
`manage_slm`:: Allows a user to perform all {slm-init} actions, including creating and updating policies
and starting and stopping {slm-init}.
`read_slm`:: Allows a user to perform all read-only {slm-init} actions,
such as getting policies and checking the {slm-init} status.
`cluster:admin/snapshot/*`:: Allows a user to take and delete snapshots of any
index, whether or not they have access to that index.
You can create and manage roles to assign these privileges through {kib} Management.
To grant the privileges necessary to create and manage {slm-init} policies and snapshots,
you can set up a role with the `manage_slm` and `cluster:admin/snapshot/*` cluster privileges
and full access to the {slm-init} history indices.
For example, the following request creates an `slm-admin` role:
[source,console]
-----------------------------------
POST /_security/role/slm-admin
{
"cluster": ["manage_slm", "cluster:admin/snapshot/*"],
"indices": [
{
"names": [".slm-history-*"],
"privileges": ["all"]
}
]
}
-----------------------------------
// TEST[skip:security is not enabled here]
To grant read-only access to {slm-init} policies and the snapshot history,
you can set up a role with the `read_slm` cluster privilege and read access
to the {slm} history indices.
For example, the following request creates a `slm-read-only` role:
[source,console]
-----------------------------------
POST /_security/role/slm-read-only
{
"cluster": ["read_slm"],
"indices": [
{
"names": [".slm-history-*"],
"privileges": ["read"]
}
]
}
-----------------------------------
// TEST[skip:security is not enabled here]