Skip to content

[Documentation] Update doc to include missing API attribute #88751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Documentation] Update doc to include missing API attribute #88751

wants to merge 1 commit into from

Conversation

RobsonSutton
Copy link
Contributor

@elasticsearchmachine elasticsearchmachine added needs:triage Requires assignment of a team area label external-contributor Pull request authored by a developer outside the Elasticsearch team v8.4.0 labels Jul 23, 2022
@RobsonSutton RobsonSutton mentioned this pull request Jul 23, 2022
Merged
@RobsonSutton
Copy link
Contributor Author

Related to #81400 - requirement for setting this may increase now that these permissions have been removed from the superuser role

@pugnascotia pugnascotia added the >docs General docs changes label Jul 25, 2022
@elasticsearchmachine elasticsearchmachine added the Team:Docs Meta label for docs team label Jul 25, 2022
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-docs (Team:Docs)

@elasticsearchmachine elasticsearchmachine removed the needs:triage Requires assignment of a team area label label Jul 25, 2022
@mark-vieira mark-vieira added v8.5.0 and removed v8.4.0 labels Jul 27, 2022
@tobio tobio assigned tobio and unassigned tobio Jul 28, 2022
@csoulios csoulios added v8.6.0 and removed v8.5.0 labels Sep 21, 2022
@kingherc kingherc added v8.7.0 and removed v8.6.0 labels Nov 16, 2022
@abdonpijpelink abdonpijpelink added the :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC label Jan 12, 2023
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Jan 12, 2023
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@abdonpijpelink
Copy link
Contributor

Would someone in the @elastic/es-security team mind taking a look at this proposed description for the allow_restricted_indices field of the Create or update roles API?

For example, in the Has privileges API docs we describe allow_restricted_indices as pasted below. I wonder if we should use that description instead.

(Boolean) This needs to be set to true (default is false) if using wildcards or regexps for patterns that cover restricted indices. Implicitly, restricted indices do not match index patterns because restricted indices usually have limited privileges and including them in pattern tests would render most such tests false. If restricted indices are explicitly included in the names list, privileges will be checked against them regardless of the value of allow_restricted_indices.

@ywangd
Copy link
Member

ywangd commented Jan 13, 2023

There is no good reason to manually write to any system indices. If read permission is needed, the superuser role is available. I suspect it might be intentional that this paramater is not documented. I don't have all the history context for it, but I slightly prefer leaving it out as is. If we do want to document it, some form of warning like what's proposed in the PR is helpful.

@RobsonSutton
Copy link
Contributor Author

@ywangd - For a bit of context, the support of this setting was requested by a consumer in the elasticstack terraform provider (elastic/terraform-provider-elasticstack#125) off the back of elastic support advice by the looks of it (I think this may be the ref. - ITSI-17455). The setting has been added to the provider and the TF docs updated accordingly (elastic/terraform-provider-elasticstack#126).

Just figured I'd add to the API docs too for clarity is all so it was consistent across different sources of documentation 👍

@ywangd
Copy link
Member

ywangd commented Jan 16, 2023

@RobsonSutton I am not familiar with the elastic stack terraform provider code. But why would the code want to provision a role that has write permission to system indices? As commented earlier, it is generally not recommended unless for adhoc emergency recovery. I suspect this is not the case for the terraform provider? Is the designated service account (e.g. elastic/fleet-server) not helpful in the use case? If so, this might be considered a bug in itself instead of trying to create a separate roles.

@RobsonSutton
Copy link
Contributor Author

@ywangd - Apologies I'm not too sure of what the specific reasoning was for enabling this setting, it just appears that the user that raised the issue was advised to raise an issue to enable this setting by elastic support. I don't work for elastic so unfortunately don't have access to look into the support case for the consumer that raised the initial issue (elastic/terraform-provider-elasticstack#125), is this something you are able to view for more context?

@rjernst rjernst added v8.8.0 and removed v8.7.0 labels Feb 8, 2023
@gmarouli gmarouli added v8.9.0 and removed v8.8.0 labels Apr 26, 2023
@quux00 quux00 added v8.11.0 and removed v8.10.0 labels Aug 16, 2023
@mattc58 mattc58 added v8.12.0 and removed v8.11.0 labels Oct 4, 2023
@leemthompo
Copy link
Contributor

Important

Elastic documentation is migrating to Markdown for version 9.0+. See the migration guide for details.

ℹ️ What's happening?

  • Starting January 29, we will start closing all unmerged documentation PRs targeting main/master
  • We're migrating from AsciiDoc to Markdown for 9.0+
  • 9.0 docs will be frozen from January 29 until February 20 2024
  • NOTE: PRs that include both code and documentation changes will remain open

What do I need to do?

For <=8.x docs:

  1. Rebase your PR to target the relevant 8.x branch instead
  2. The content can remain in AsciiDoc format

For 9.0+ docs:

Option 1:

  • Draft docs in Markdown
  • Once migration freeze ends, find the relevant page in the new docs system and use the edit options to submit your changes

Option 2:

💡 Need help?

  1. For Elasticians: Ask in #docs Slack channel
  2. For external contributors: Open an issue in elastic/docs-content

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
>docs General docs changes external-contributor Pull request authored by a developer outside the Elasticsearch team :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Docs Meta label for docs team Team:Security Meta label for security team v9.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.