Manage snapshot cluster privilege #67538

albertzaharovits · 2021-01-14T20:42:50Z

Drawing inspiration from https://www.elastic.co/guide/en/elasticsearch/reference/current/slm-and-security.html it appears that we're lacking a kind of manage_snapshot cluster privilege.
We currently have the monitor_snapshot and create_snapshot privileges and I think it would be sensible to also add a new manage_snapshot one.

monitor_snapshot permits listing the repositories, not only the snapshots inside the repositories, in addition to the obvious snapshot status check.
create_snapshot extends monitor_snapshot, to also grant permission to create snapshots to existing repositories
manage_snapshots , I think, should extend create_snapshot to permit deleting snapshots and deleting repositories.
Importantly, I don't think it should grant permissions to create repositories, because that would grant access to transfer data to any accessible location of the user's choice (IMO manage is a fitting privilege for that).

The text was updated successfully, but these errors were encountered:

elasticmachine · 2021-01-14T20:42:52Z

Pinging @elastic/es-security (Team:Security)

albertzaharovits added >enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Jan 14, 2021

albertzaharovits self-assigned this Jan 14, 2021

elasticmachine added the Team:Security Meta label for security team label Jan 14, 2021

Provide feedback