separate permissions from all_access #351

mbchris · 2020-11-24T09:46:03Z

Is your feature request related to a problem? Please describe.
As documented, using index management features is only supported when caller is a member of the all_access role:

To use the ISM plugin, your user role needs to be mapped to the all_access role that gives you full access to the cluster. To learn more, see Users and roles.

This means that it is not possible to delegate index management API calls to partner systems without giving them full cluster management access .

Describe the solution you'd like

The API calls for creating/updating/deleting an ISM policy should be a separate permission which is assignable to a custom role.

e.g.

cluster:admin/opendistro/ism/get
cluster:admin/opendistro/ism/write
cluster:admin/opendistro/ism/delete
cluster:admin/opendistro/ism/retry

Describe alternatives you've considered

Additional context

The text was updated successfully, but these errors were encountered:

dbbaughe · 2020-12-18T17:53:25Z

This is in progress as we migrate ISM to the security model implemented by alerting/AD.

mbchris added the enhancement An improvement on the existing feature’s functionalities label Nov 24, 2020

chenqi0805 mentioned this issue Feb 18, 2021

ISM access in ES sink needs all_access permission opendistro-for-elasticsearch/data-prepper#340

Open

adityaj1107 mentioned this issue Jun 3, 2021

separate permissions from all_access opensearch-project/index-management#50

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

separate permissions from all_access #351

separate permissions from all_access #351

mbchris commented Nov 24, 2020

dbbaughe commented Dec 18, 2020

separate permissions from all_access #351

separate permissions from all_access #351

Comments

mbchris commented Nov 24, 2020

Describe alternatives you've considered

Additional context

dbbaughe commented Dec 18, 2020