Manage snapshot cluster privilege #67538
Labels
>enhancement
:Security/Authorization
Roles, Privileges, DLS/FLS, RBAC/ABAC
Team:Security
Meta label for security team
Drawing inspiration from https://www.elastic.co/guide/en/elasticsearch/reference/current/slm-and-security.html it appears that we're lacking a kind of
manage_snapshot
cluster privilege.We currently have the
monitor_snapshot
andcreate_snapshot
privileges and I think it would be sensible to also add a newmanage_snapshot
one.monitor_snapshot
permits listing the repositories, not only the snapshots inside the repositories, in addition to the obvious snapshot status check.create_snapshot
extendsmonitor_snapshot
, to also grant permission to create snapshots to existing repositoriesmanage_snapshots
, I think, should extendcreate_snapshot
to permit deleting snapshots and deleting repositories.Importantly, I don't think it should grant permissions to create repositories, because that would grant access to transfer data to any accessible location of the user's choice (IMO
manage
is a fitting privilege for that).The text was updated successfully, but these errors were encountered: