Access control about the watcher

alerting

(talonyuan) #1

HI
I want to assign user the permission to create watcher and read watcher, and have no permission to delete it. can you tell me how to configure the roles. below is my configuration, but the user not only can create the watcher but also can delete it.
POST /_xpack/security/role/test_power_role
{
"cluster": [ "monitor" ],
"indices": [
{
"names": [ "telemetry_processing_eventflow*" ],
"privileges":[
"manage",
"read",
"index"
]
},
{
"names": [
".kibana*"
],
"privileges": [
"manage",
"read",
"index"
]
},
{
"names": [
".watches"
],
"privileges": [
"read",
"create"
]
}
]
}

PUT /_xpack/security/role_mapping/test_power_mapping
{
"roles": [ "test_power_role","monitoring_user" ,"watcher_admin"],
"enabled": true,
"rules": {
"field": { "metadata.saml(Group)": "corp.elasticsearch.test" }
}
}
the elasticsearch version is 6.3.1


(Alexander Reelsen) #2

Instead of using the watcher_admin role, you could allow for fine grained permissions on a transport action base like allowing for cluster:admin/xpack/watcher/watch/put but not allowing for cluster:admin/xpack/watcher/watch/delete.