[DOCS] Document machine_learning_admin and machine_learning_user roles (elastic/x-pack-elasticsearch#1132)
* [DOCS] Document machine_learning_admin and machine_learning_user roles * [DOCS] Fix auth requrements for ML result APIs * [DOCS] Update authorization.asciidoc based on elastic/x-pack-elasticsearch#1132 Original commit: elastic/x-pack-elasticsearch@1bf563e8d7
This commit is contained in:
parent
50dff91a3a
commit
bf110ba05e
|
@ -16,7 +16,10 @@ results from a job.
|
||||||
This API presents a chronological view of the records, grouped by bucket.
|
This API presents a chronological view of the records, grouped by bucket.
|
||||||
|
|
||||||
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
|
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
|
||||||
privileges to use this API. For more information, see <<privileges-list-cluster>>.
|
privileges to use this API. You also need `read` index privilege on the index
|
||||||
|
that stores the results. The `machine_learning_admin` and `machine_learning_user`
|
||||||
|
roles provide these privileges. For more information, see
|
||||||
|
<<security-privileges>> and <<built-in-roles>>.
|
||||||
|
|
||||||
===== Path Parameters
|
===== Path Parameters
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,10 @@ about the categories in the results for a job.
|
||||||
===== Description
|
===== Description
|
||||||
|
|
||||||
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
|
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
|
||||||
privileges to use this API. For more information, see <<privileges-list-cluster>>.
|
privileges to use this API. You also need `read` index privilege on the index
|
||||||
|
that stores the results. The `machine_learning_admin` and `machine_learning_user`
|
||||||
|
roles provide these privileges. For more information, see
|
||||||
|
<<security-privileges>> and <<built-in-roles>>.
|
||||||
|
|
||||||
===== Path Parameters
|
===== Path Parameters
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,10 @@ in a job.
|
||||||
===== Description
|
===== Description
|
||||||
|
|
||||||
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
|
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
|
||||||
privileges to use this API. For more information, see <<privileges-list-cluster>>.
|
privileges to use this API. You also need `read` index privilege on the index
|
||||||
|
that stores the results. The `machine_learning_admin` and `machine_learning_user`
|
||||||
|
roles provide these privileges. For more information, see
|
||||||
|
<<security-privileges>> and <<built-in-roles>>.
|
||||||
|
|
||||||
===== Path Parameters
|
===== Path Parameters
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,10 @@ The get records API enables you to retrieve anomaly records for a job.
|
||||||
===== Description
|
===== Description
|
||||||
|
|
||||||
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
|
You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
|
||||||
privileges to use this API. For more information, see <<privileges-list-cluster>>.
|
privileges to use this API. You also need `read` index privilege on the index
|
||||||
|
that stores the results. The `machine_learning_admin` and `machine_learning_user`
|
||||||
|
roles provide these privileges. For more information, see
|
||||||
|
<<security-privileges>> and <<built-in-roles>>.
|
||||||
|
|
||||||
===== Path Parameters
|
===== Path Parameters
|
||||||
|
|
||||||
|
|
|
@ -59,25 +59,25 @@ to users. These roles have a fixed set of privileges and cannot be updated.
|
||||||
|
|
||||||
[[built-in-roles-superuser]]
|
[[built-in-roles-superuser]]
|
||||||
`superuser`::
|
`superuser`::
|
||||||
Grants full access to the cluster, including all indices and data. A user with
|
Grants full access to the cluster, including all indices and data. A user with
|
||||||
the `superuser` role can also manage users and roles and <<run-as-privilege, impersonate>> any other user in the system. Due to the permissive nature of
|
the `superuser` role can also manage users and roles and <<run-as-privilege, impersonate>> any other user in the system. Due to the permissive nature of
|
||||||
this role, take extra care when assigning it to a user.
|
this role, take extra care when assigning it to a user.
|
||||||
|
|
||||||
[[built-in-roles-transport-client]]
|
[[built-in-roles-transport-client]]
|
||||||
`transport_client`::
|
`transport_client`::
|
||||||
Grants the privileges required to access the cluster through the Java Transport Client. The Java Transport Client fetches information about the nodes in the
|
Grants the privileges required to access the cluster through the Java Transport Client. The Java Transport Client fetches information about the nodes in the
|
||||||
cluster using the _Node Liveness API_ and the _Cluster State API_ (when
|
cluster using the _Node Liveness API_ and the _Cluster State API_ (when
|
||||||
sniffing is enabled). Assign your users this role if they use the
|
sniffing is enabled). Assign your users this role if they use the
|
||||||
Transport Client.
|
Transport Client.
|
||||||
+
|
+
|
||||||
NOTE: Using the Transport Client effectively means the users are granted access
|
NOTE: Using the Transport Client effectively means the users are granted access
|
||||||
to the cluster state. This means users can view the metadata over all indices,
|
to the cluster state. This means users can view the metadata over all indices,
|
||||||
index templates, mappings, node and basically everything about the cluster.
|
index templates, mappings, node and basically everything about the cluster.
|
||||||
However, this role does not grant permission to view the data in all indices.
|
However, this role does not grant permission to view the data in all indices.
|
||||||
|
|
||||||
[[built-in-roles-kibana-user]]
|
[[built-in-roles-kibana-user]]
|
||||||
`kibana_user` ::
|
`kibana_user` ::
|
||||||
Grants the minimum privileges required for any user of Kibana. This role grants
|
Grants the minimum privileges required for any user of Kibana. This role grants
|
||||||
access to the Kibana indices and grants monitoring privileges for the cluster.
|
access to the Kibana indices and grants monitoring privileges for the cluster.
|
||||||
|
|
||||||
[[built-in-roles-monitoring-user]]
|
[[built-in-roles-monitoring-user]]
|
||||||
|
@ -132,6 +132,17 @@ stats.
|
||||||
Grants write access to the `.watches` index, read access to the watch history and
|
Grants write access to the `.watches` index, read access to the watch history and
|
||||||
the triggered watches index and allows to execute all watcher actions.
|
the triggered watches index and allows to execute all watcher actions.
|
||||||
|
|
||||||
|
[[built-in-roles-ml-admin]]
|
||||||
|
`machine_learning_admin`::
|
||||||
|
Grants `manage_ml` cluster privileges and read access to the `.ml-*` indices.
|
||||||
|
|
||||||
|
[[built-in-roles-ml-user]]
|
||||||
|
`machine_learning_user`::
|
||||||
|
Grants the minimum privileges required to view {xpack} {ml} configuration,
|
||||||
|
status, and results. This role grants `monitor_ml` cluster privileges and
|
||||||
|
read access to the `.ml-notifications` and `.ml-anomalies*` indices,
|
||||||
|
which store {ml} results.
|
||||||
|
|
||||||
[[defining-roles]]
|
[[defining-roles]]
|
||||||
=== Defining Roles
|
=== Defining Roles
|
||||||
|
|
||||||
|
@ -258,7 +269,7 @@ log in to Kibana and go to *Management / Elasticsearch / Roles*.
|
||||||
=== Role Management API
|
=== Role Management API
|
||||||
|
|
||||||
The _Role Management APIs_ enable you to add, update, remove and retrieve roles
|
The _Role Management APIs_ enable you to add, update, remove and retrieve roles
|
||||||
dynamically. When you use the APIs to manage roles in the `native` realm, the
|
dynamically. When you use the APIs to manage roles in the `native` realm, the
|
||||||
roles are stored in an internal Elasticsearch index.
|
roles are stored in an internal Elasticsearch index.
|
||||||
|
|
||||||
[[roles-api-add]]
|
[[roles-api-add]]
|
||||||
|
@ -409,4 +420,3 @@ include::authorization/field-and-document-access-control.asciidoc[]
|
||||||
include::authorization/run-as-privilege.asciidoc[]
|
include::authorization/run-as-privilege.asciidoc[]
|
||||||
|
|
||||||
include::authorization/custom-roles-provider.asciidoc[]
|
include::authorization/custom-roles-provider.asciidoc[]
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue