[DOCS] Document machine_learning_admin and machine_learning_user roles (elastic/x-pack-elasticsearch#1132)

* [DOCS] Document machine_learning_admin and machine_learning_user roles

* [DOCS] Fix auth requrements for ML result APIs

* [DOCS] Update authorization.asciidoc based on elastic/x-pack-elasticsearch#1132

Original commit: elastic/x-pack-elasticsearch@1bf563e8d7
This commit is contained in:
Lisa Cawley 2017-04-20 08:45:30 -07:00 committed by GitHub
parent 50dff91a3a
commit bf110ba05e
5 changed files with 36 additions and 14 deletions

View File

@ -16,7 +16,10 @@ results from a job.
This API presents a chronological view of the records, grouped by bucket.
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
privileges to use this API. For more information, see <<privileges-list-cluster>>.
privileges to use this API. You also need `read` index privilege on the index
that stores the results. The `machine_learning_admin` and `machine_learning_user`
roles provide these privileges. For more information, see
<<security-privileges>> and <<built-in-roles>>.
===== Path Parameters

View File

@ -14,7 +14,10 @@ about the categories in the results for a job.
===== Description
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
privileges to use this API. For more information, see <<privileges-list-cluster>>.
privileges to use this API. You also need `read` index privilege on the index
that stores the results. The `machine_learning_admin` and `machine_learning_user`
roles provide these privileges. For more information, see
<<security-privileges>> and <<built-in-roles>>.
===== Path Parameters

View File

@ -12,7 +12,10 @@ in a job.
===== Description
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
privileges to use this API. For more information, see <<privileges-list-cluster>>.
privileges to use this API. You also need `read` index privilege on the index
that stores the results. The `machine_learning_admin` and `machine_learning_user`
roles provide these privileges. For more information, see
<<security-privileges>> and <<built-in-roles>>.
===== Path Parameters

View File

@ -12,7 +12,10 @@ The get records API enables you to retrieve anomaly records for a job.
===== Description
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
privileges to use this API. For more information, see <<privileges-list-cluster>>.
privileges to use this API. You also need `read` index privilege on the index
that stores the results. The `machine_learning_admin` and `machine_learning_user`
roles provide these privileges. For more information, see
<<security-privileges>> and <<built-in-roles>>.
===== Path Parameters

View File

@ -59,25 +59,25 @@ to users. These roles have a fixed set of privileges and cannot be updated.
[[built-in-roles-superuser]]
`superuser`::
Grants full access to the cluster, including all indices and data. A user with
Grants full access to the cluster, including all indices and data. A user with
the `superuser` role can also manage users and roles and <<run-as-privilege, impersonate>> any other user in the system. Due to the permissive nature of
this role, take extra care when assigning it to a user.
[[built-in-roles-transport-client]]
`transport_client`::
Grants the privileges required to access the cluster through the Java Transport Client. The Java Transport Client fetches information about the nodes in the
cluster using the _Node Liveness API_ and the _Cluster State API_ (when
`transport_client`::
Grants the privileges required to access the cluster through the Java Transport Client. The Java Transport Client fetches information about the nodes in the
cluster using the _Node Liveness API_ and the _Cluster State API_ (when
sniffing is enabled). Assign your users this role if they use the
Transport Client.
+
NOTE: Using the Transport Client effectively means the users are granted access
NOTE: Using the Transport Client effectively means the users are granted access
to the cluster state. This means users can view the metadata over all indices,
index templates, mappings, node and basically everything about the cluster.
index templates, mappings, node and basically everything about the cluster.
However, this role does not grant permission to view the data in all indices.
[[built-in-roles-kibana-user]]
`kibana_user` ::
Grants the minimum privileges required for any user of Kibana. This role grants
`kibana_user` ::
Grants the minimum privileges required for any user of Kibana. This role grants
access to the Kibana indices and grants monitoring privileges for the cluster.
[[built-in-roles-monitoring-user]]
@ -132,6 +132,17 @@ stats.
Grants write access to the `.watches` index, read access to the watch history and
the triggered watches index and allows to execute all watcher actions.
[[built-in-roles-ml-admin]]
`machine_learning_admin`::
Grants `manage_ml` cluster privileges and read access to the `.ml-*` indices.
[[built-in-roles-ml-user]]
`machine_learning_user`::
Grants the minimum privileges required to view {xpack} {ml} configuration,
status, and results. This role grants `monitor_ml` cluster privileges and
read access to the `.ml-notifications` and `.ml-anomalies*` indices,
which store {ml} results.
[[defining-roles]]
=== Defining Roles
@ -258,7 +269,7 @@ log in to Kibana and go to *Management / Elasticsearch / Roles*.
=== Role Management API
The _Role Management APIs_ enable you to add, update, remove and retrieve roles
dynamically. When you use the APIs to manage roles in the `native` realm, the
dynamically. When you use the APIs to manage roles in the `native` realm, the
roles are stored in an internal Elasticsearch index.
[[roles-api-add]]
@ -409,4 +420,3 @@ include::authorization/field-and-document-access-control.asciidoc[]
include::authorization/run-as-privilege.asciidoc[]
include::authorization/custom-roles-provider.asciidoc[]