From c3f2b7bdf1d9c2a81bcdc5b3a3144ecdf3bbed38 Mon Sep 17 00:00:00 2001 From: Chris Moore <107723039+cwillum@users.noreply.github.com> Date: Thu, 1 Sep 2022 08:48:42 -0700 Subject: [PATCH] CCS-permissions (#1053) Signed-off-by: cwillum Signed-off-by: cwillum --- _opensearch/rest-api/search.md | 2 +- _security-plugin/access-control/cross-cluster-search.md | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/_opensearch/rest-api/search.md b/_opensearch/rest-api/search.md index 67ece072..1c368297 100644 --- a/_opensearch/rest-api/search.md +++ b/_opensearch/rest-api/search.md @@ -46,7 +46,7 @@ analyzer | String | Analyzer to use in the query string. analyze_wildcard | Boolean | Whether the update operation should include wildcard and prefix queries in the analysis. Default is false. batched_reduce_size | Integer | How many shard results to reduce on a node. Default is 512. cancel_after_time_interval | Time | The time after which the search request will be canceled. Request-level parameter takes precedence over cancel_after_time_interval [cluster setting]({{site.url}}{{site.baseurl}}/opensearch/rest-api/cluster-settings). Default is -1. -css_minimize_roundtrips | Boolean | Whether to minimize roundtrips between a node and remote clusters. Default is true. +ccs_minimize_roundtrips | Boolean | Whether to minimize roundtrips between a node and remote clusters. Default is true. default_operator | String | Indicates whether the default operator for a string query should be AND or OR. Default is OR. df | String | The default field in case a field prefix is not provided in the query string. docvalue_fields | String | The fields that OpenSearch should return using their docvalue forms. diff --git a/_security-plugin/access-control/cross-cluster-search.md b/_security-plugin/access-control/cross-cluster-search.md index 8c528fc1..7e706fe7 100644 --- a/_security-plugin/access-control/cross-cluster-search.md +++ b/_security-plugin/access-control/cross-cluster-search.md @@ -32,12 +32,13 @@ You can have different authentication and authorization configurations on the re ## Permissions -To query indices on remote clusters, users need to have the following permissions for the index, in addition to `READ` or `SEARCH` permissions: +To query indexes on remote clusters, users need to have `READ` or `SEARCH` permissions. Furthermore, when the search request includes the query parameter `ccs_minimize_roundtrips=false` – which tells OpenSearch not to minimize outgoing and ingoing requests to remote clusters – users need to have the following additional permission for the index: ``` indices:admin/shards/search_shards ``` +For more information about the `ccs_minimize_roundtrips` parameter, see the list of [parameters](https://opensearch.org/docs/latest/opensearch/rest-api/search/#url-parameters) for the Search API. #### Sample roles.yml configuration @@ -49,7 +50,7 @@ humanresources: 'humanresources': '*': - READ - - indices:admin/shards/search_shards # needed for CCS + - indices:admin/shards/search_shards # needed when the search request includes parameter setting 'ccs_minimize_roundtrips=false'. ```