Add o11y security

Signed-off-by: Liz Snyder <elizabsn@amazon.com>
2022-04-11 15:43:55 -07:00 · 2022-04-11 15:43:55 -07:00 · 65018caacf
parent 41eb61ecf2
commit 65018caacf
2 changed files with 58 additions and 2 deletions
--- a/_observability-plugin/observability-security.md
+++ b/_observability-plugin/observability-security.md
@ -0,0 +1,56 @@
+---
+layout: default
+title: Observability security
+nav_order: 5
+has_children: false
+---
+
+# Observability security
+
+You can use the security plugin with Observability in OpenSearch to limit non-admin users to specific actions. For example, you might want some users to only view visualizations, notebooks, and other Observability objects, while others can create and modify them.
+
+## Basic permissions
+
+The security plugin has two built-in roles that cover most Observability use cases: `observability_full_access` and `observability_read_access`. For descriptions of each, see [Predefined roles]({{site.url}}{{site.baseurl}}/security-plugin/access-control/users-roles#predefined-roles). If you don't see these predefined roles in OpenSearch Dashboards, you can create them with the following commands:
+
+```json
+PUT _plugins/_security/api/roles/observability_read_access
+{
+  "cluster_permissions": [
+    "cluster:admin/opensearch/observability/get"
+  ]
+}
+```
+
+```json
+PUT _plugins/_security/api/roles/observability_full_access
+{
+  "cluster_permissions": [
+    "cluster:admin/opensearch/observability/*"
+  ]
+}
+```
+
+If these roles don't meet your needs, mix and match individual Observability [permissions]({{site.url}}{{site.baseurl}}/security-plugin/access-control/permissions/) to suit your use case. For example, the `cluster:admin/opensearch/observability/create` permission lets you create Observability objects (visualizations, operational panels, notebooks, etc.)
+
+The following is an example role that that provides access to Observability:
+
+```json
+PUT _plugins/_security/api/roles/observability_permissions
+{
+  "cluster_permissions": [
+    "cluster:admin/opensearch/observability/create",
+    "cluster:admin/opensearch/observability/update",
+    "cluster:admin/opensearch/observability/delete",
+    "cluster:admin/opensearch/observability/get"
+    ],
+  "index_permissions": [{
+    "index_patterns": [".opensearch-observability"],
+    "allowed_actions": ["write", "read", "search"]
+  }],
+  "tenant_permissions": [{
+    "tenant_patterns": ["global_tenant"],
+    "allowed_actions": ["opensearch_dashboards_all_write"]
+  }]
+}
+```
--- a/_replication-plugin/permissions.md
+++ b/_replication-plugin/permissions.md
@ -1,10 +1,10 @@
 ---
 layout: default
-title: Permissions
+title: Replication security
 nav_order: 30
 ---

-# Cross-cluster replication permissions
+# Cross-cluster replication security

 You can use the [security plugin]({{site.url}}{{site.baseurl}}/security-plugin/index/) with cross-cluster replication to limit users to certain actions. For example, you might want certain users to only perform replication activity on the leader or follower cluster.