Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add clarification to elasticsearch privileges #4704

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+120 −65
Open

add clarification to elasticsearch privileges #4704

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0853e90
fix elasticsearch privileges
conceptualshark Dec 3, 2024
2365675
backport
conceptualshark Dec 3, 2024
28acc41
Merge branch 'main' into cg-es-privs
conceptualshark Dec 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 24 additions & 13 deletions docs/self-managed/concepts/elasticsearch-privileges.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,32 +3,43 @@ id: elasticsearch-privileges
title: "Elasticsearch privileges"
---

If you implement Camunda 8 with Elasticsearch as a service provider, you must configure Elasticsearch with the following [privileges](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html) in mind:
If you implement Camunda 8 with Elasticsearch as a service provider, the following [privileges](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html) may be required:

## Cluster privileges

- `monitor` - necessary for health check
- `manage_index_templates` to create and manage index schema on start up, if they don't already exist in Elasticsearch.
- _Optional_ `manage_ilm` - required only when ILM is enabled
- `monitor` - Required to check the Elasticsearch cluster health. This privilege provides read-only cluster operations permissions.
- `manage_index_templates` - Creates the necessary index templates when Operate, Tasklist, and Optimize are started for the first time, or when updating to a newer version of Camunda 8. Once the index templates are created, you can stop the Component, remove this privilege, and then start Component again.
- `manage_ilm` - _Required when index lifecycle management (ILM) is enabled._ Required to create the necessary ILM policies when Operate, Tasklist, and Optimize are started for the first time, or when updating to a newer version of Camunda 8. Once the ILM policies are created, you can stop the Component, remove this privilege, and then start the Component again.

To use the [backup feature](/self-managed/operational-guides/backup-restore/backup-and-restore.md), you must have snapshot privileges:
### Backup privileges

- `create_snapshot`
- `monitor_snapshot`
To use the [backup feature](/self-managed/operational-guides/backup-restore/backup-and-restore.md), you must have snapshot privileges. You can provide these privileges to each Component before you create a backup, and then revoke them after the backup has been completed:

When [updating](/self-managed/operational-guides/update-guide/introduction.md) to a newer version of Camunda 8 which requires data migration, Operate requires pipelines:
- `create_snapshot` - Creates a backup, or snapshot, of a running cluster.
- `monitor_snapshot` - Provides read-only permissions to list and view snapshot details.

- `manage_pipeline`
### Update privileges

More information on cluster privileges in Elasticsearch can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-cluster).
When [updating](/self-managed/operational-guides/update-guide/introduction.md) to a newer version of Camunda 8 which requires data migration, the following are required:

- `manage_pipeline` - Allows any data transformations to occur when updating.
- `manage_index_templates` - See [cluster privileges](#cluster-privileges).
- `manage_ilm` - _Required when index lifecycle management (ILM) is enabled._ See [cluster privileges](#cluster-privileges).

These privileges can be granted temporarily during an upgrade:

- Stop the Component, and grant the required privileges
- Start the Component and perform the upgrade
- Stop the Component when the upgrade is complete, and remove any privileges
- Start the Component normally

## Indices privileges

The following permissions are required to read, write, view, and update Elasticsearch indices. More information on indices privileges can be found in the [Elasticsearch documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-indices).

- `create_index`
- `delete_index`
- `read`
- `write`
- `manage`
- _Optional_ `manage_ilm` - required only when ILM is enabled

More information on indices privileges in Elasticsearch can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-indices).
- `manage_ilm` - _Required when index lifecycle management (ILM) is enabled._
37 changes: 24 additions & 13 deletions versioned_docs/version-8.3/self-managed/concepts/elasticsearch-privileges.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,32 +3,43 @@ id: elasticsearch-privileges
title: "Elasticsearch privileges"
---

If you implement Camunda 8 with Elasticsearch as a service provider, you must configure Elasticsearch with the following [privileges](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html) in mind:
If you implement Camunda 8 with Elasticsearch as a service provider, the following [privileges](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html) may be required:

## Cluster privileges

- `monitor` - necessary for health check
- `manage_index_templates` to create and manage index schema on start up, if they don't already exist in Elasticsearch.
- _Optional_ `manage_ilm` - required only when ILM is enabled
- `monitor` - Required to check the Elasticsearch cluster health. This privilege provides read-only cluster operations permissions.
- `manage_index_templates` - Creates the necessary index templates when Operate, Tasklist, and Optimize are started for the first time, or when updating to a newer version of Camunda 8. Once the index templates are created, you can stop the Component, remove this privilege, and then start Component again.
- `manage_ilm` - _Required when index lifecycle management (ILM) is enabled._ Required to create the necessary ILM policies when Operate, Tasklist, and Optimize are started for the first time, or when updating to a newer version of Camunda 8. Once the ILM policies are created, you can stop the Component, remove this privilege, and then start the Component again.

To use the [backup feature](/self-managed/operational-guides/backup-restore/backup-and-restore.md), you must have snapshot privileges:
### Backup privileges

- `create_snapshot`
- `monitor_snapshot`
To use the [backup feature](/self-managed/operational-guides/backup-restore/backup-and-restore.md), you must have snapshot privileges. You can provide these privileges to each Component before you create a backup, and then revoke them after the backup has been completed:

When [updating](/self-managed/operational-guides/update-guide/introduction.md) to a newer version of Camunda 8 which requires data migration, Operate requires pipelines:
- `create_snapshot` - Creates a backup, or snapshot, of a running cluster.
- `monitor_snapshot` - Provides read-only permissions to list and view snapshot details.

- `manage_pipeline`
### Update privileges

More information on cluster privileges in Elasticsearch can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-cluster).
When [updating](/self-managed/operational-guides/update-guide/introduction.md) to a newer version of Camunda 8 which requires data migration, the following are required:

- `manage_pipeline` - Allows any data transformations to occur when updating.
- `manage_index_templates` - See [cluster privileges](#cluster-privileges).
- `manage_ilm` - _Required when index lifecycle management (ILM) is enabled._ See [cluster privileges](#cluster-privileges).

These privileges can be granted temporarily during an upgrade:

- Stop the Component, and grant the required privileges
- Start the Component and perform the upgrade
- Stop the Component when the upgrade is complete, and remove any privileges
- Start the Component normally

## Indices privileges

The following permissions are required to read, write, view, and update Elasticsearch indices. More information on indices privileges can be found in the [Elasticsearch documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-indices).

- `create_index`
- `delete_index`
- `read`
- `write`
- `manage`
- _Optional_ `manage_ilm` - required only when ILM is enabled

More information on indices privileges in Elasticsearch can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-indices).
- `manage_ilm` - _Required when index lifecycle management (ILM) is enabled._
37 changes: 24 additions & 13 deletions versioned_docs/version-8.4/self-managed/concepts/elasticsearch-privileges.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,32 +3,43 @@ id: elasticsearch-privileges
title: "Elasticsearch privileges"
---

If you implement Camunda 8 with Elasticsearch as a service provider, you must configure Elasticsearch with the following [privileges](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html) in mind:
If you implement Camunda 8 with Elasticsearch as a service provider, the following [privileges](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html) may be required:

## Cluster privileges

- `monitor` - necessary for health check
- `manage_index_templates` to create and manage index schema on start up, if they don't already exist in Elasticsearch.
- _Optional_ `manage_ilm` - required only when ILM is enabled
- `monitor` - Required to check the Elasticsearch cluster health. This privilege provides read-only cluster operations permissions.
- `manage_index_templates` - Creates the necessary index templates when Operate, Tasklist, and Optimize are started for the first time, or when updating to a newer version of Camunda 8. Once the index templates are created, you can stop the Component, remove this privilege, and then start Component again.
- `manage_ilm` - _Required when index lifecycle management (ILM) is enabled._ Required to create the necessary ILM policies when Operate, Tasklist, and Optimize are started for the first time, or when updating to a newer version of Camunda 8. Once the ILM policies are created, you can stop the Component, remove this privilege, and then start the Component again.

To use the [backup feature](/self-managed/operational-guides/backup-restore/backup-and-restore.md), you must have snapshot privileges:
### Backup privileges

- `create_snapshot`
- `monitor_snapshot`
To use the [backup feature](/self-managed/operational-guides/backup-restore/backup-and-restore.md), you must have snapshot privileges. You can provide these privileges to each Component before you create a backup, and then revoke them after the backup has been completed:

When [updating](/self-managed/operational-guides/update-guide/introduction.md) to a newer version of Camunda 8 which requires data migration, Operate requires pipelines:
- `create_snapshot` - Creates a backup, or snapshot, of a running cluster.
- `monitor_snapshot` - Provides read-only permissions to list and view snapshot details.

- `manage_pipeline`
### Update privileges

More information on cluster privileges in Elasticsearch can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-cluster).
When [updating](/self-managed/operational-guides/update-guide/introduction.md) to a newer version of Camunda 8 which requires data migration, the following are required:

- `manage_pipeline` - Allows any data transformations to occur when updating.
- `manage_index_templates` - See [cluster privileges](#cluster-privileges).
- `manage_ilm` - _Required when index lifecycle management (ILM) is enabled._ See [cluster privileges](#cluster-privileges).

These privileges can be granted temporarily during an upgrade:

- Stop the Component, and grant the required privileges
- Start the Component and perform the upgrade
- Stop the Component when the upgrade is complete, and remove any privileges
- Start the Component normally

## Indices privileges

The following permissions are required to read, write, view, and update Elasticsearch indices. More information on indices privileges can be found in the [Elasticsearch documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-indices).

- `create_index`
- `delete_index`
- `read`
- `write`
- `manage`
- _Optional_ `manage_ilm` - required only when ILM is enabled

More information on indices privileges in Elasticsearch can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-indices).
- `manage_ilm` - _Required when index lifecycle management (ILM) is enabled._
37 changes: 24 additions & 13 deletions versioned_docs/version-8.5/self-managed/concepts/elasticsearch-privileges.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,32 +3,43 @@ id: elasticsearch-privileges
title: "Elasticsearch privileges"
---

If you implement Camunda 8 with Elasticsearch as a service provider, you must configure Elasticsearch with the following [privileges](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html) in mind:
If you implement Camunda 8 with Elasticsearch as a service provider, the following [privileges](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html) may be required:

## Cluster privileges

- `monitor` - necessary for health check
- `manage_index_templates` to create and manage index schema on start up, if they don't already exist in Elasticsearch.
- _Optional_ `manage_ilm` - required only when ILM is enabled
- `monitor` - Required to check the Elasticsearch cluster health. This privilege provides read-only cluster operations permissions.
- `manage_index_templates` - Creates the necessary index templates when Operate, Tasklist, and Optimize are started for the first time, or when updating to a newer version of Camunda 8. Once the index templates are created, you can stop the Component, remove this privilege, and then start Component again.
- `manage_ilm` - _Required when index lifecycle management (ILM) is enabled._ Required to create the necessary ILM policies when Operate, Tasklist, and Optimize are started for the first time, or when updating to a newer version of Camunda 8. Once the ILM policies are created, you can stop the Component, remove this privilege, and then start the Component again.

To use the [backup feature](/self-managed/operational-guides/backup-restore/backup-and-restore.md), you must have snapshot privileges:
### Backup privileges

- `create_snapshot`
- `monitor_snapshot`
To use the [backup feature](/self-managed/operational-guides/backup-restore/backup-and-restore.md), you must have snapshot privileges. You can provide these privileges to each Component before you create a backup, and then revoke them after the backup has been completed:

When [updating](/self-managed/operational-guides/update-guide/introduction.md) to a newer version of Camunda 8 which requires data migration, Operate requires pipelines:
- `create_snapshot` - Creates a backup, or snapshot, of a running cluster.
- `monitor_snapshot` - Provides read-only permissions to list and view snapshot details.

- `manage_pipeline`
### Update privileges

More information on cluster privileges in Elasticsearch can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-cluster).
When [updating](/self-managed/operational-guides/update-guide/introduction.md) to a newer version of Camunda 8 which requires data migration, the following are required:

- `manage_pipeline` - Allows any data transformations to occur when updating.
- `manage_index_templates` - See [cluster privileges](#cluster-privileges).
- `manage_ilm` - _Required when index lifecycle management (ILM) is enabled._ See [cluster privileges](#cluster-privileges).

These privileges can be granted temporarily during an upgrade:

- Stop the Component, and grant the required privileges
- Start the Component and perform the upgrade
- Stop the Component when the upgrade is complete, and remove any privileges
- Start the Component normally

## Indices privileges

The following permissions are required to read, write, view, and update Elasticsearch indices. More information on indices privileges can be found in the [Elasticsearch documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-indices).

- `create_index`
- `delete_index`
- `read`
- `write`
- `manage`
- _Optional_ `manage_ilm` - required only when ILM is enabled

More information on indices privileges in Elasticsearch can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html#privileges-list-indices).
- `manage_ilm` - _Required when index lifecycle management (ILM) is enabled._
Loading
Loading