Skip to content

[DOC] Document the fact ILM actions are executed by the user who created the ILM policy #66279

New issue
New issue
Closed
#67393
Closed
[DOC] Document the fact ILM actions are executed by the user who created the ILM policy#66279
#67393
Labels
:Data Management/ILM+SLMIndex and Snapshot lifecycle management>docsGeneral docs changes>enhancementTeam:Data ManagementMeta label for data/management teamTeam:DocsMeta label for docs team
@lucabelluccini

Description

@lucabelluccini
lucabelluccini
opened on Dec 14, 2020

The ILM documentation should contain a paragraph to mention the fact ILM policy runs with the user's roles at the moment the policy was created.
In particular, it takes a "snapshot" of the list of roles of the user at the moment of the ILM Policy creation.

How to reproduce

Setup ILM to trigger every 30s. Execute using elastic:

PUT _cluster/settings
{
  "persistent": {
    "indices.lifecycle.poll_interval": "30s"
  }
}

Create a role mytest. Execute using elastic:

PUT _security/role/mytest
{
  "cluster": [
    "monitor",
    "manage_index_templates",
    "manage_ilm"
  ],
  "indices": []
}

Assign the role to a test user.

{
  "username" : "testtest",
  "roles" : [
    "mykibana",
    "mytest"
  ], ...

Install the ILM policy using test user:

PUT _ilm/policy/mypolicy
{
  "policy": {
    "phases": {
      "hot": {
        "min_age": "0ms",
        "actions": {
          "rollover": {
            "max_docs": 1
          }
        }
      }
    }
  }
}

Install the template using test user:

POST _template/myindexwithpolicy
{
  "index_patterns": [
    "myindextest-*"
  ],
  "settings": {
    "index": {
      "lifecycle": {
        "name": "mypolicy",
        "rollover_alias": "myindextestalias"
      }
    }
  },
  "mappings": {},
  "aliases": {}
}

Create a role mytest2 using elastic user:

PUT _security/role/mytest2
{
  "cluster": [
    "monitor",
    "manage_index_templates",
    "manage_ilm"
  ],
  "indices": [
    {
      "names": [
        "myindextest-*",
        "myindextestalias"
      ],
      "privileges": [
        "write",
        "create_index",
        "monitor",
        "manage",
        "manage_ilm"
      ],
      "field_security": {
        "grant": [
          "*"
        ]
      },
      "allow_restricted_indices": false
    }
  ]
}

Add the role to the test user.

{
  "username" : "testtest",
  "roles" : [
    "mykibana",
    "mytest",
    "mytest2"
  ], ...

Bootstrap the index and add few documents:

PUT myindextest-000001
{
  "aliases": {
    "myindextestalias": {
      "is_write_index": true
    }
  }
}

POST myindextestalias/_doc/1?refresh=true
{
  "dummy": 1
}

POST myindextestalias/_doc/2?refresh=true
{
  "dummy": 1
}

Wait 30s...

Check the ILM status:

GET myindextest-*/_ilm/explain?pretty

Result:

   "step_info" : {
        "type" : "security_exception",
        "reason" : "action [indices:admin/rollover] is unauthorized for user [testtest]",
        "stack_trace" : """ElasticsearchSecurityException[action [indices:admin/rollover] is unauthorized for user [testtest]]
	at org.elasticsearch.xpack.core.security.support.Exceptions.authorizationError(Exceptions.java:34)
	at org.elasticsearch.xpack.security.authz.AuthorizationService.denialException(AuthorizationService.java:613)...

Solution: update the role with the correct settings instead of add another role.

Metadata

Metadata

Assignees

No one assigned

    Labels

    :Data Management/ILM+SLMIndex and Snapshot lifecycle management>docsGeneral docs changes>enhancementTeam:Data ManagementMeta label for data/management teamTeam:DocsMeta label for docs team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions