Elastic Search Docs - Add information about required permissions for …

…Mattermost service account (#6732) * feature/elastic-search-doc-permissions adding documentation about giving permissions to mattermost * feature/elastic-search-doc-permissions adding more concise code block * feature/elastic-search-doc-permissions formatting code bloacks * Update source/scale/elasticsearch.rst * Update source/scale/elasticsearch.rst * feature/elastic-search-doc-permissions correcting indentation --------- Co-authored-by: Carrie Warner (Mattermost) <[email protected]>
mattermost · Oct 25, 2023 · 85ea411 · 85ea411
1 parent 20af91c
commit 85ea411
Showing 1 changed file with 53 additions and 0 deletions.
diff --git a/source/scale/elasticsearch.rst b/source/scale/elasticsearch.rst
@@ -200,3 +200,56 @@ My Elasticsearch indexes won't complete, what should I do?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 If you have an Elasticsearch indexing job that's paused, it's likely your Elasticsearch server has restarted. If you restart your Elasticsearch server, you must also restart Mattermost to ensure jobs are completed. If restarting the Mattermost server does not resolve the issue, please contact Mattermost support.
+
+Required Permissions For Mattermost Service Account
+---------------------------------------------------
+In "least privilege" environments you may need to further constrain the service account permissions to limit the access your Elasticsearch service account has. 
+The following JSON provides an example of a "least privilege" permission set that allows Mattermost to operate correctly with Elasticsearch:
+
+ .. code-block:: json
+
+{
+  "cluster_permissions": [
+    "cluster:monitor/*",
+    "indices:admin/template/put",
+    "indices:data/write/bulk"
+  ],
+  "index_permissions": [
+    {
+      "index_patterns": [
+        "t-70907*"
+      ],
+      "allowed_actions": [
+        "indices:admin/get",
+        "indices:admin/create",
+        "indices:admin/delete",
+        "indices:admin/mapping/put",
+        "indices:admin/mappings/fields/get*",
+        "indices:data/read*",
+        "indices:data/write*"
+      ]
+    }
+  ]
+}
+
+A simpler, more flexible, and resilient variant of the above would be:
+
+.. code-block:: json
+
+  {
+    "cluster_permissions": [
+      "cluster:monitor/*",
+      "indices:admin/template/put",
+      "indices:data/write/bulk"
+    ],
+    "index_permissions": [
+      {
+        "index_patterns": [
+          "t-70907*"
+        ],
+        "allowed_actions": [
+          "indices:*"
+        ]
+      }
+    ]
+  }