Merge pull request #504 from opensearch-project/o11y-notebooks-security
Add o11y security
This commit is contained in:
commit
b191e03054
|
@ -0,0 +1,56 @@
|
||||||
|
---
|
||||||
|
layout: default
|
||||||
|
title: Observability security
|
||||||
|
nav_order: 5
|
||||||
|
has_children: false
|
||||||
|
---
|
||||||
|
|
||||||
|
# Observability security
|
||||||
|
|
||||||
|
You can use the security plugin with Observability in OpenSearch to limit non-admin users to specific actions. For example, you might want some users to only view visualizations, notebooks, and other Observability objects, while others can create and modify them.
|
||||||
|
|
||||||
|
## Basic permissions
|
||||||
|
|
||||||
|
The security plugin has two built-in roles that cover most Observability use cases: `observability_full_access` and `observability_read_access`. For descriptions of each, see [Predefined roles]({{site.url}}{{site.baseurl}}/security-plugin/access-control/users-roles#predefined-roles). If you don't see these predefined roles in OpenSearch Dashboards, you can create them with the following commands:
|
||||||
|
|
||||||
|
```json
|
||||||
|
PUT _plugins/_security/api/roles/observability_read_access
|
||||||
|
{
|
||||||
|
"cluster_permissions": [
|
||||||
|
"cluster:admin/opensearch/observability/get"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
```json
|
||||||
|
PUT _plugins/_security/api/roles/observability_full_access
|
||||||
|
{
|
||||||
|
"cluster_permissions": [
|
||||||
|
"cluster:admin/opensearch/observability/*"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
If these roles don't meet your needs, mix and match individual Observability [permissions]({{site.url}}{{site.baseurl}}/security-plugin/access-control/permissions/) to suit your use case. For example, the `cluster:admin/opensearch/observability/create` permission lets you create Observability objects (visualizations, operational panels, notebooks, etc.).
|
||||||
|
|
||||||
|
The following is an example role that provides access to Observability:
|
||||||
|
|
||||||
|
```json
|
||||||
|
PUT _plugins/_security/api/roles/observability_permissions
|
||||||
|
{
|
||||||
|
"cluster_permissions": [
|
||||||
|
"cluster:admin/opensearch/observability/create",
|
||||||
|
"cluster:admin/opensearch/observability/update",
|
||||||
|
"cluster:admin/opensearch/observability/delete",
|
||||||
|
"cluster:admin/opensearch/observability/get"
|
||||||
|
],
|
||||||
|
"index_permissions": [{
|
||||||
|
"index_patterns": [".opensearch-observability"],
|
||||||
|
"allowed_actions": ["write", "read", "search"]
|
||||||
|
}],
|
||||||
|
"tenant_permissions": [{
|
||||||
|
"tenant_patterns": ["global_tenant"],
|
||||||
|
"allowed_actions": ["opensearch_dashboards_all_write"]
|
||||||
|
}]
|
||||||
|
}
|
||||||
|
```
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
layout: default
|
layout: default
|
||||||
title: Permissions
|
title: Replication security
|
||||||
nav_order: 30
|
nav_order: 30
|
||||||
---
|
---
|
||||||
|
|
||||||
# Cross-cluster replication permissions
|
# Cross-cluster replication security
|
||||||
|
|
||||||
You can use the [security plugin]({{site.url}}{{site.baseurl}}/security-plugin/index/) with cross-cluster replication to limit users to certain actions. For example, you might want certain users to only perform replication activity on the leader or follower cluster.
|
You can use the [security plugin]({{site.url}}{{site.baseurl}}/security-plugin/index/) with cross-cluster replication to limit users to certain actions. For example, you might want certain users to only perform replication activity on the leader or follower cluster.
|
||||||
|
|
||||||
|
|
|
@ -132,6 +132,10 @@ These permissions are for the cluster and can't be applied granularly. For examp
|
||||||
- cluster:admin/opendistro/reports/instance/list
|
- cluster:admin/opendistro/reports/instance/list
|
||||||
- cluster:admin/opendistro/reports/instance/get
|
- cluster:admin/opendistro/reports/instance/get
|
||||||
- cluster:admin/opendistro/reports/menu/download
|
- cluster:admin/opendistro/reports/menu/download
|
||||||
|
- cluster:admin/opensearch/observability/create
|
||||||
|
- cluster:admin/opensearch/observability/update
|
||||||
|
- cluster:admin/opensearch/observability/delete
|
||||||
|
- cluster:admin/opensearch/observability/get
|
||||||
- cluster:admin/plugins/replication/autofollow/update
|
- cluster:admin/plugins/replication/autofollow/update
|
||||||
- cluster:admin/reindex/rethrottle
|
- cluster:admin/reindex/rethrottle
|
||||||
- cluster:admin/repository/delete
|
- cluster:admin/repository/delete
|
||||||
|
|
Loading…
Reference in New Issue