Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minimum permission for running support diagnostics #774

Open
Leaf-Lin opened this issue Dec 13, 2024 · 0 comments
Open

Minimum permission for running support diagnostics #774

Leaf-Lin opened this issue Dec 13, 2024 · 0 comments

Comments

@Leaf-Lin
Copy link
Contributor

In the support diagnostics doc, it mentioned that

The superuser role is recommended unless you are familar enough with the calls being made to tailor your own accounts and roles.

(BTW, there's a typo on familiar.)

It might be useful to spell out exact what permissions are required especially for security conscientious users.

Here's a proposal role as the minimum permission for support diagnostics:

PUT _security/role/support_diagnostics_role
{
  "cluster": [
    "monitor",
    "monitor_enrich",
    "monitor_snapshot",
    "read_ilm",
    "read_pipeline",
    "read_security",
    "manage_autoscaling",
    "manage_ccr",
    "manage_logstash_pipelines",
    "manage_slm",
    "manage_transform"
  ],
  "indices": [
    {
      "names": [
        "*"
      ],
      "privileges": [
        "view_index_metadata",
        "monitor"
      ],
      "allow_restricted_indices": false
    }
  ],
   "transient_metadata": {
    "enabled": true
  }
}

Using the above role, there will still be a few APIs that are unable to run. But I think those APIs are not essential for understanding cluster issues. And the additional privileges required (see the list below) may cause potential security issues thus better to have those not included.

APIsPrivileges requiredUseNote
/_cat/countindices [read,all]Provides quick access to a document count for a data stream, an index, or an entire cluster.
/_countindices [read,all]Gets the number of matches for a search query.
/_dangling?humancluster [manage,all]Lists dangling indices.
/_internal/desired_balancecluster [manage,all]Show balancing stats such as distribution of shards, disk and ingest forecasts across nodes and data tiers (based on the current cluster state)Direct use is not supported
/_nodes/shutdowncluster [manage,all]Retrieves the status of a node that’s being prepared for shutdown.Direct use is not supported
/_searchable_snapshots/cache/stats?humancluster [manage,all]Retrieves statistics about the shared cache for partially mounted indices.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Leaf-Lin