docs
docs copied to clipboard
mattermost
Help Wanted: Elastic Search Docs - Add information about required permissions for Mattermost service account
Mattermost user stu.doherty from https://community-daily.mattermost.com has requested the following be documented:
This seems to work for basic indexing individual posts, full re-index, and purge (I don't lose the roles/users entries I had created):
```json
{
"cluster": [
"monitor" // ??????
],
"indices": [
{
"names": [
"channels",
"users",
"posts_*"
],
"privileges": [
"all"
],
"allow_restricted_indices": false
}
],
"applications": [],
"metadata": {
"id": true,
"index": true
}
}
Now I think I need to ensure the following things work:
- Index roll-up
- ?
Not sure the easiest way to test this on local dev. Would our unit tests help?
See the original post [here](https://community-daily.mattermost.com/_redirect/pl/861i6skr53njjbiptzg4gu5ygc).
_This issue was generated from [Mattermost](https://mattermost.com) using the [Doc Up](https://github.com/jwilander/mattermost-plugin-docup) plugin._
Hey could you describe what needs to be done here? I'm a first time contributor. Thank you for the patience :)
Thanks, @jwilander!
Hi @akshitadixit. Thank you for offering to help with this issue. I recommend confirming with @sadohert as to the changes that need to be made in this document https://docs.mattermost.com/deployment/elasticsearch.html.
As you're a first-time contributor I recommend reading the docs README.md which contains some background and guidelines for contributing to documentation at Mattermost. Please let me know if you have any questions or issues.
Hello @justinegeffen @jwilander can I work on this if it's available? If yes , is it possible to guide me related to the same. Thanks.
Hi @yash2189. It looks like @akshitadixit has offered to work on this ticket but I'm not sure whether any work has been started or help is needed.
Hi @justinegeffen , is it fine that I could work on the same since there has not been any response yet?
Hi @justinegeffen , is it fine that I could work on the same since there has not been any response yet?
I'd like to propose allowing @akshitadixit some time to get back to this and in the meantime if you'd be open to some of the other issues that are up for grabs that would be great. I've removed that label from issues that are currently taken so you shouldn't have any blockers.
Hi All... need to also ensure these permissions are allowed for the service account that connects to Elastic:
“indices:admin/get” privilege... I believe they're already covered by the role I expressed in the json above, but need to confirm:
```json
{
"cluster": [
"monitor" // ??????
],
"indices": [
{
"names": [
"channels",
"users",
"posts_*"
],
"privileges": [
"all"
],
"allow_restricted_indices": false
}
],
"applications": [],
"metadata": {
"id": true,
"index": true
}
}
These should also be documented to account for the possibility of an "IndexPrefix".
Here's another snippet:
{
"cluster": [
"monitor",
"manage_index_templates"
],
"indices": [
{
"names": [
"<MM Elastic Prefix>*",
],
"privileges": [
"all"
],
"allow_restricted_indices": false
}
],
"applications": [],
"metadata": {
"id": true,
"index": true
}
}
Hi @yash2189 - I'm not 100% sure. @justinegeffen can you comment?
Here is some additional insight discovered by @mkdbns:
The actions above succeeded with the following configured permissions. A few notes: Please note that I defined the permissions using the underlying ES permissions vs Action Groups (Monitor, Read, Write, etc.) as they may vary across deployments. The cluster-level "indices" permissions seem counter intuitive but are necessary. For example, here is a short explanation as to why indices:admin/template/put is required at the cluster level:
{
"cluster_permissions": [
"cluster:monitor/*",
"indices:admin/template/put",
"indices:data/write/bulk"
],
"index_permissions": [
{
"index_patterns": [
"IndexPrefix*"
],
"allowed_actions": [
"indices:admin/get",
"indices:admin/create",
"indices:admin/delete",
"indices:admin/mapping/put",
"indices:admin/mappings/fields/get*",
"indices:data/read*",
"indices:data/write*"
]
}
]
}
While the above should work, we would recommend that you allow MM to have full control over it's indexes. We subscribe to the philosophy that the MM indexes under ES as defined by the prefix (E.g., "MM_*") are just an extension of the MM data itself and there is nothing impactfully destructive that a MM could accidentally do to it's indexes. The worst action would be to purge them which, we all know, is part and parcel of the long-term lifecycle. Thus, a simpler, more flexible, and resilient variant of the above would be:
{
"cluster_permissions": [
"cluster:monitor/*",
"indices:admin/template/put",
"indices:data/write/bulk"
],
"index_permissions": [
{
"index_patterns": [
"IndexPrefix*"
],
"allowed_actions": [
"indices:*"
]
}
]
}
@sadohert - Would you be open to creating a PR with these documentation updates?
Thanks, @TomerPacific! This one also pre-dates me :) I've asked for guidance via the Hacktoberfest channel on the Mattermost Community Server.
@TomerPacific - We'd welcome your help with this issue! @sadohert is available to support you with these updates.
While there's a lot of detail included in this ticket, the ask is to concisely frame guidance as follows:
In "least privilege" environments you may need to further constrain the service account permissions to limit the access your Elasticsearch service account has. The following JSON provides an example of a "least privilege" permission set that allows Mattermost to operate correctly with Elasticsearch....
[technical details here].
@TomerPacific - Thank you for following up via the Hacktoberfest channel and for engaging @sadohert directly to guide these docs updates. As @sadohert provides guidelines, I too can provide support you with this lift.
@cwarnermm - Opened a PR for this. Awaiting your feedback.
@cwarnermm - I see that the code blocks aren't rendering. Going to fix that.