58 lines
1.8 KiB
Plaintext
58 lines
1.8 KiB
Plaintext
[[slm-and-security]]
|
|
=== Security and {slm-init}
|
|
|
|
Two built-in cluster privileges control access to the {slm-init} actions when
|
|
{es} {security-features} are enabled:
|
|
|
|
`manage_slm`:: Allows a user to perform all {slm-init} actions, including creating and updating policies
|
|
and starting and stopping {slm-init}.
|
|
|
|
`read_slm`:: Allows a user to perform all read-only {slm-init} actions,
|
|
such as getting policies and checking the {slm-init} status.
|
|
|
|
`cluster:admin/snapshot/*`:: Allows a user to take and delete snapshots of any
|
|
index, whether or not they have access to that index.
|
|
|
|
You can create and manage roles to assign these privileges through {kib} Management.
|
|
|
|
To grant the privileges necessary to create and manage {slm-init} policies and snapshots,
|
|
you can set up a role with the `manage_slm` and `cluster:admin/snapshot/*` cluster privileges
|
|
and full access to the {slm-init} history indices.
|
|
|
|
For example, the following request creates an `slm-admin` role:
|
|
|
|
[source,console]
|
|
-----------------------------------
|
|
POST /_security/role/slm-admin
|
|
{
|
|
"cluster": ["manage_slm", "cluster:admin/snapshot/*"],
|
|
"indices": [
|
|
{
|
|
"names": [".slm-history-*"],
|
|
"privileges": ["all"]
|
|
}
|
|
]
|
|
}
|
|
-----------------------------------
|
|
// TEST[skip:security is not enabled here]
|
|
|
|
To grant read-only access to {slm-init} policies and the snapshot history,
|
|
you can set up a role with the `read_slm` cluster privilege and read access
|
|
to the {slm} history indices.
|
|
|
|
For example, the following request creates a `slm-read-only` role:
|
|
|
|
[source,console]
|
|
-----------------------------------
|
|
POST /_security/role/slm-read-only
|
|
{
|
|
"cluster": ["read_slm"],
|
|
"indices": [
|
|
{
|
|
"names": [".slm-history-*"],
|
|
"privileges": ["read"]
|
|
}
|
|
]
|
|
}
|
|
-----------------------------------
|
|
// TEST[skip:security is not enabled here] |