Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Kibana application privileges to the reserved role docs #354

Merged
merged 2 commits into from
Jun 5, 2019
Merged

Add Kibana application privileges to the reserved role docs #354

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
80963f1
Add Kibana application privileges to the reserved role docs
droberts195 May 31, 2019
7b72917
Apply suggestions from code review
droberts195 Jun 3, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions docs/en/stack/security/authorization/built-in-roles.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,13 @@ suitable for writing beats output to {es}.

[[built-in-roles-data-frame-transforms-admin]] `data_frame_transforms_admin` ::
Grants `manage_data_frame_transforms` cluster privileges, which enable you to
manage data frames.
manage data frame transforms. This role also includes the `reserved_ml` {kib}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kobelb will this level of Kibana privilege be documented anywhere? It doesn't seem we go into that level of detail in https://www.elastic.co/guide/en/kibana/master/kibana-privileges.html so maybe we should omit it here too? e.g. Change it to something like "Users with this role have all {ml} feature privileges in Kibana".

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point... we've generally hidden the concept of "Kibana reserved privileges" from end-users, so the phrasing which you've recommended might make this less confusing to users.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kobelb ! @droberts195 I've drafted suggestions for the changes.

droberts195 marked this conversation as resolved.
Show resolved Hide resolved
application privilege which makes the {kib} {ml} application visible.
droberts195 marked this conversation as resolved.
Show resolved Hide resolved

[[built-in-roles-data-frame-transforms-user]] `data_frame_transforms_user` ::
Grants `monitor_data_fram_transforms` cluster privileges, which enable you to
use data frames.
use data frame transforms. This role also includes the `reserved_ml` {kib}
droberts195 marked this conversation as resolved.
Show resolved Hide resolved
application privilege which makes the {kib} {ml} application visible.
droberts195 marked this conversation as resolved.
Show resolved Hide resolved

[[built-in-roles-ingest-user]] `ingest_admin` ::
Grants access to manage *all* index templates and *all* ingest pipeline configurations.
Expand Down Expand Up @@ -92,19 +94,23 @@ suitable for use within a Logstash pipeline.
[[built-in-roles-ml-admin]] `machine_learning_admin`::
Grants `manage_ml` cluster privileges, read access to `.ml-anomalies*`,
`.ml-notifications*`, `.ml-state*`, `.ml-meta*` indices and write access to
`.ml-annotations*` indices.
`.ml-annotations*` indices. This role also includes the `reserved_ml` {kib}
droberts195 marked this conversation as resolved.
Show resolved Hide resolved
application privilege which makes the {kib} {ml} application visible.
droberts195 marked this conversation as resolved.
Show resolved Hide resolved

[[built-in-roles-ml-user]] `machine_learning_user`::
Grants the minimum privileges required to view {ml} configuration,
status, and work with results. This role grants `monitor_ml` cluster privileges,
read access to the `.ml-notifications` and `.ml-anomalies*` indices
(which store {ml} results), and write access to `.ml-annotations*` indices.
This role also includes the `reserved_ml` {kib} application privilege which
droberts195 marked this conversation as resolved.
Show resolved Hide resolved
makes the {kib} {ml} application visible.
droberts195 marked this conversation as resolved.
Show resolved Hide resolved

[[built-in-roles-monitoring-user]] `monitoring_user`::
Grants the minimum privileges required for any user of {monitoring} other than those
required to use {kib}. This role grants access to the monitoring indices and grants
privileges necessary for reading basic cluster information. Monitoring users should
also be assigned the `kibana_user` role.
privileges necessary for reading basic cluster information. This role also includes
the `reserved_monitoring` {kib} application privilege which makes the {kib} monitoring
droberts195 marked this conversation as resolved.
Show resolved Hide resolved
application visible. Monitoring users should also be assigned the `kibana_user` role.
droberts195 marked this conversation as resolved.
Show resolved Hide resolved

[[built-in-roles-remote-monitoring-agent]] `remote_monitoring_agent`::
Grants the minimum privileges required to write data into the monitoring indices
Expand Down