From 95a5d36289cf1010dfaa371b1dbd340ad8e3105b Mon Sep 17 00:00:00 2001 From: Lisa Cawley Date: Tue, 26 Sep 2017 13:26:02 -0700 Subject: [PATCH] [DOCS] Add watcher and elevated privilege info (elastic/x-pack-elasticsearch#2632) Original commit: elastic/x-pack-elasticsearch@2dcbace8a018ce8327fbba7269f93c39fe6cb436 --- .../en/security/reference/privileges.asciidoc | 12 ++++++++++++ docs/en/watcher/actions/index.asciidoc | 5 ++++- docs/en/watcher/index.asciidoc | 12 +++++++++--- docs/en/watcher/input/search.asciidoc | 19 +++++++++++-------- 4 files changed, 36 insertions(+), 12 deletions(-) diff --git a/docs/en/security/reference/privileges.asciidoc b/docs/en/security/reference/privileges.asciidoc index 2c854d6c7b8..317b369febd 100644 --- a/docs/en/security/reference/privileges.asciidoc +++ b/docs/en/security/reference/privileges.asciidoc @@ -33,6 +33,12 @@ All operations on index templates. `manage_ml`:: All {ml} operations, such as creating and deleting {dfeeds}, jobs, and model snapshots. ++ +-- +NOTE: Datafeeds run as a system user with elevated privileges, including +permission to read all indices. + +-- `manage_pipeline`:: All operations on ingest pipelines. @@ -43,6 +49,12 @@ cache clearing. `manage_watcher`:: All watcher operations, such as putting watches, executing, activate or acknowledging. ++ +-- +NOTE: Watches run as a system user with elevated privileges, including permission +to read and write all indices. + +-- `transport_client`:: All privileges necessary for a transport client to connect. Required by the remote diff --git a/docs/en/watcher/actions/index.asciidoc b/docs/en/watcher/actions/index.asciidoc index 55c837a3884..1e8b7aeee64 100644 --- a/docs/en/watcher/actions/index.asciidoc +++ b/docs/en/watcher/actions/index.asciidoc @@ -44,7 +44,7 @@ The following snippet shows a simple `index` action definition: | `doc_id` | no | - | The optional `_id` of the document. | `execution_time_field` | no | - | The field that will store/index the watch execution - time. + time. | `timeout` | no | 60s | The timeout for waiting for the index api call to return. If no response is returned within this time, @@ -73,3 +73,6 @@ a document and the index action indexes all of them in a bulk. An `_id` value can be added per document to dynamically set the ID of the indexed document. + +NOTE: The index action runs as a system user with elevated privileges, including +permission to write all indices. diff --git a/docs/en/watcher/index.asciidoc b/docs/en/watcher/index.asciidoc index b5c2fadee1b..65e5be0d468 100644 --- a/docs/en/watcher/index.asciidoc +++ b/docs/en/watcher/index.asciidoc @@ -3,8 +3,9 @@ [partintro] -- -You can watch for changes or anomalies in your data and perform the necessary -actions in response. For example, you might want to: +{xpack} alerting is a set of administrative features that enable you to watch +for changes or anomalies in your data and perform the necessary actions in +response. For example, you might want to: * Monitor social media as another way to detect failures in user-facing automated systems like ATMs or ticketing systems. When the number of tweets @@ -62,6 +63,11 @@ A full history of all watches is maintained in an Elasticsearch index. This history keeps track of each time a watch is triggered and records the results from the query, whether the condition was met, and what actions were taken. +NOTE: Watches run with elevated privileges. Users mapped to the built-in +`watcher_admin` role or any other role to which the `manage_watcher` cluster +privilege is assigned should be reviewed and granted only to personnel with +appropriate trust levels to read and write all indices. + -- include::getting-started.asciidoc[] @@ -81,5 +87,5 @@ include::transform.asciidoc[] include::java.asciidoc[] include::managing-watches.asciidoc[] - + include::example-watches.asciidoc[] diff --git a/docs/en/watcher/input/search.asciidoc b/docs/en/watcher/input/search.asciidoc index 3f911acf347..2b643560055 100644 --- a/docs/en/watcher/input/search.asciidoc +++ b/docs/en/watcher/input/search.asciidoc @@ -2,17 +2,17 @@ === Search Input Use the `search` input to load the results of an Elasticsearch search request -into the execution context when the watch is triggered. See +into the execution context when the watch is triggered. See <> for all of the supported attributes. - + In the search input's `request` object, you specify: * The indices you want to search * The {ref}/search-request-search-type.html[search type] * The search request body -The search request body supports the full Elasticsearch Query DSL--it's the +The search request body supports the full Elasticsearch Query DSL--it's the same as the body of an Elasticsearch `_search` request. For example, the following input retrieves all `event` @@ -33,7 +33,7 @@ documents from the `logs` index: } -------------------------------------------------- -You can use date math and wildcards when specifying indices. For example, +You can use date math and wildcards when specifying indices. For example, the following input loads the latest VIXZ quote from today's daily quotes index: [source,js] @@ -42,7 +42,7 @@ the following input loads the latest VIXZ quote from today's daily quotes index: "input" : { "search" : { "request" : { - "indices" : [ "" ], + "indices" : [ "" ], "body" : { "size" : 1, "sort" : { @@ -108,8 +108,8 @@ parameter: ==== Applying Conditions -The `search` input is often used in conjunction with the <> condition. For example, the following snippet adds a condition to +The `search` input is often used in conjunction with the <> condition. For example, the following snippet adds a condition to check if the search returned more than five hits: [source,js] @@ -200,4 +200,7 @@ specifying the request `body`: | `ctx.trigger.triggered_time` | The time this watch was triggered. | `ctx.trigger.scheduled_time` | The time this watch was supposed to be triggered. | `ctx.metadata.*` | Any metadata associated with the watch. -|====== \ No newline at end of file +|====== + +NOTE: The search input runs as a system user with elevated privileges, including +permission to read all indices.