From 98c3ecd7fcec51af5d63ee219d0a4aecce74ae76 Mon Sep 17 00:00:00 2001
From: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com>
Date: Wed, 10 Aug 2022 10:35:52 -0400
Subject: [PATCH] Added async search plugin security info (#859)

* Added async search plugin security info

Signed-off-by: Fanit Kolchina <kolchfa@amazon.com>

* Incorporated review comments

Signed-off-by: Fanit Kolchina <kolchfa@amazon.com>

* Incorporated editorial comments

Signed-off-by: Fanit Kolchina <kolchfa@amazon.com>
---
 _search-plugins/async/security.md | 57 +++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/_search-plugins/async/security.md b/_search-plugins/async/security.md
index de4580b7..e23f28e5 100644
--- a/_search-plugins/async/security.md
+++ b/_search-plugins/async/security.md
@@ -74,3 +74,60 @@ Because they have different backend roles, an asynchronous search submitted by `
 `judy` needs to have at least the superset of all roles that `elon` has to see `elon`'s asynchronous searches.
 
 For example, if `judy` has five backend roles and `elon` has one of these roles, then `judy` can see asynchronous searches submitted by `elon`, but `elon` can’t see the asynchronous searches submitted by `judy`. This means that `judy` can perform GET and DELETE operations on asynchronous searches submitted by `elon`, but not the reverse.
+
+If none of the users have any backend roles, all three will be able to see the others' searches.
+
+For example, consider three users: `judy`, `elon`, and `jack`.
+
+`judy`, `elon`, and `jack` have no backend roles set up:
+
+```json
+PUT _plugins/_security/api/internalusers/judy
+{
+  "password": "judy",
+  "backend_roles": [],
+  "attributes": {}
+}
+```
+
+```json
+PUT _plugins/_security/api/internalusers/elon
+{
+  "password": "elon",
+  "backend_roles": [],
+  "attributes": {}
+}
+```
+
+```json
+PUT _plugins/_security/api/internalusers/jack
+{
+  "password": "jack",
+  "backend_roles": [],
+  "attributes": {}
+}
+```
+
+Both `judy` and `elon` have full access to asynchronous search:
+
+```json
+PUT _plugins/_security/api/rolesmapping/async_full_access
+{
+  "backend_roles": [],
+  "hosts": [],
+  "users": ["judy","elon"]
+}
+```
+
+`jack` has read access to asynchronous search results:
+
+```json
+PUT _plugins/_security/api/rolesmapping/async_read_access
+{
+  "backend_roles": [],
+  "hosts": [],
+  "users": ["jack"]
+}
+```
+
+Because none of the users have backend roles, they will be able to see each other's asynchronous searches. So, if `judy` submits an asynchronous search, `elon`, who has full access, will be able to see that search. `jack`, who has read access, will also be able to see `judy`'s asynchronous search.
\ No newline at end of file