Expand filebased user for recovering security #2489
Conversation
|
👋 @elastic/admin-docs , I did try to figure out the links myself from Brandon's earlier guidance but apparently could use more help, sorry 🙂🙏 |
|
|
||
| ## Add users | ||
| * `roles.yml` for [defining roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles) |
There was a problem hiding this comment.
Role configuration is not part of the file realm. IIUC it is separate mechanism and roles defined through it can be referenced in users create via the native realm as well.
There was a problem hiding this comment.
I believe that, to this specific page, to not have role configuration to become part of it we should remove the statement 'security index is gone'. Maybe have this example down below with a reference for security index unavailable in a second block?
There was a problem hiding this comment.
I suggested a simple link to the roles docs here #2492. That is not to say that a more comprehensive edit would not also make sense.
|
|
||
| You can reference several secrets in the {{es}} specification. ECK aggregates their content into a single secret, mounted in every {{es}} Pod. | ||
| {{es}} recommends following the industry's [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) when granting user permissions. {{es}} follows this guidance itself by [restricting system indices](/deploy-manage/users-roles/cluster-or-deployment-auth/role-structure#roles-indices-priv) by default, even from [`superuser` role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles#roles) administrators including the [`elastic` built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users). While recovering {{stack}} {{security-features}}, you may need to temporarily define a role with `allow_restricted_indices` access enabled. For example, expanding the `superuser` role to include `allow_restricted_indices: true` would appear like like new role `superduperuser` definition |
There was a problem hiding this comment.
I am not sure this the right place for this information. This should go into some kind of troubleshooting page that is not in the flow of what users normally read. Having this in the main docs might be confusing and users might try dangerous operations endangering the integrity of their cluster.
There was a problem hiding this comment.
I agree. I believe that this part should reference role creation because of the mentioned 'security index unavailable', but restricted_index is not part of this topic, as it is indeed not required for all operations.
There was a problem hiding this comment.
I think that the information about recovering security does not necessarily belong in this doc. while the file might need to be refactored, introducing this information and the role information blows up the scope of the page. the recovery use case might work better as a standalone tutorial.
Refactors filebased realm page for clarity & expands examples to include file-based
role.ymldefinitions needed to recovering security.Relates #2479