honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Docs: Explain watcher security integration/limitations (elastic/x-pack-elasticsearch#3106) 

Original commit: elastic/x-pack-elasticsearch@991e1de267
This commit is contained in:
Alexander Reelsen 2017-11-29 14:48:06 +01:00 committed by GitHub
parent 171c48fd2f
commit c641a30bc5
3 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/en/rest-api/watcher/execute-watch.asciidoc
View File

@ -118,6 +118,18 @@ are five possible modes an action can be associated with:
You must have `manage_watcher` cluster privileges to use this API. For more
information, see {xpack-ref}/security-privileges.html[Security Privileges].
[float]
==== Security Integration
When {security} is enabled on your Elasticsearch cluster, then watches will be
executed with the privileges of the user that stored the watches. If your user
is allowed to read index `a`, but not index `b`, then the exact same set of
rules will apply during execution of a watch.
When using the execute watch API, the authorization data of the user that
called the API will be used as a base, instead of of the information who stored
the watch.
[float]
==== Examples

8
docs/en/rest-api/watcher/put-watch.asciidoc
View File

@ -74,6 +74,14 @@ A watch has the following fields:
You must have `manage_watcher` cluster privileges to use this API. For more
information, see {xpack-ref}/security-privileges.html[Security Privileges].
[float]
==== Security Integration
When {security} is enabled, your watch will only be able to index or search on
indices for which the user that stored the watch, has privileges. If the user is
able to read index `a`, but not index `b`, the same will apply, when the watch
is executed.
[float]
==== Examples

8
docs/en/watcher/limitations.asciidoc
View File

@ -18,3 +18,11 @@ from the page without saving your changes they will be lost without warning.
Make sure to save your changes before leaving the page.
image::watcher-ui-edit-watch.png[]
[float]
=== Security Integration
When {security} is enabled, a watch stores information about what the user who
stored the watch is allowed to execute **at that time**. This means, if those
permissions change over time, the watch will still be able to execute with the
permissions that existed when the watch was created.