Closed crabhi closed 4 months ago
The docs says that read_slm
or manage_slm
are needed, the error message only gives manage_slm
. So either the docs or the code is incorrect
Pinging @elastic/es-security (Team:Security)
I can confirm this is a genuine (code) bug. SLM status used to be part of ILM status response. Therefore the existing read_slm
privilege grants permission for ILM status. But SLM status API has been splitted out to be its own API for several years now. The read_slm
privilege is outdated.
A workaround, use following cluster privileges:
cluster: ["monitor", "read_slm", "cluster:admin/snapshot/status", "cluster:admin/repository/get", "cluster:admin/slm/stats", "cluster:admin/slm/status"]
Pinging @elastic/es-data-management (Team:Data Management)
I can confirm this is a genuine (code) bug. SLM status used to be part of ILM status response. Therefore the existing
read_slm
privilege grants permission for ILM status. But SLM status API has been splitted out to be its own API for several years now. Theread_slm
privilege is outdated.
So it seems clear we should add get SLM status access to read_slm
. Should we also remove the ILM status access? Ideally we would, but this would be a breaking change (I think).
Splitting this into two PRs. https://github.com/elastic/elasticsearch/pull/108333 does the primary ask of this ticket as it adds access to /_slm/status
to read_slm
. The second PR (not yet created), will remove access to GET /_ilm/status
from read_slm
. Putting these in separate PRs as removing access to /_ilm/status
is a breaking change and needs to go through the breaking change process.
Closing this issue as it fixed by https://github.com/elastic/elasticsearch/pull/108333 . The additional work on removing ILM access from SLM privileges is tracked in https://github.com/elastic/elasticsearch/pull/108485 .
Elasticsearch Version
8.6.1
Installed Plugins
No response
Java Version
bundled
OS Version
Linux 5.10.0-19-cloud-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64 GNU/Linux
Problem Description
Calling GET _slm/status returns 403 even if the role has
read_slm
privilege, although the docs say thatread_slm
should be enough.Steps to Reproduce
Having a role that contains
read_slm
cluster privilege,making a request to
_slm/status
fails with a message requestingmanage_slm
or higher.Logs (if relevant)
No response