Skip to content

Add documentation for failure stores. #1368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 29 commits into
base: main
Choose a base branch
from
Open

Conversation

jbaiera
Copy link
Member

@jbaiera jbaiera commented May 5, 2025

TBD on recipes. Most links are not complete and need updating from "???".
Copy link
Contributor

@kilfoyle kilfoyle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jbaiera this is such a superb doc! I've left a bunch of super small suggestions but overall it looks great to me! 🚀

@jbaiera jbaiera marked this pull request as ready for review June 2, 2025 21:26
@jbaiera jbaiera requested review from a team as code owners June 2, 2025 21:26
@jbaiera jbaiera requested a review from slobodanadamovic June 2, 2025 21:26
@jbaiera
Copy link
Member Author

jbaiera commented Jun 2, 2025

Adding @slobodanadamovic as reviewer for the new roles in the reference docs. Is there anywhere else that we should expand with more failure store info for security beyond that reference?

@jbaiera jbaiera removed the wip label Jun 2, 2025
:::{warning}
Documents redirected to the failure store in the event of a failed ingest pipeline will be stored in their original, unprocessed form. If an ingest pipeline normally redacts sensitive information from a document, then failed documents in their original, unprocessed form may contain sensitive information.

Furthermore, failed documents are likely to be structured differently than normal data in a data stream, and thus are not supported by [document level security](../../../deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md#document-level-security) or [field level security](../../../deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md#field-level-security).

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is actually not true. We decided to support FLS and DLS against failure store. The main reason is because it would not be possible to prevent using FLS/DLS when users define implicit read access to backing .fs* indices. It felt wrong to prevent using FLS/DLS when users defined explicit read_failure_store access to data streams with FLS/DLS restrictions. Our biggest concern was that users would be expecting the DLS/FLS to stop certain docs/fields from being visible and it wouldn't.

Right now, if users include FLS/DLS when granting access to failure store then we'll try to honour it. We should just make sure to highlight it (which you already did) that these documents are structured differently, and because they may contain sensitive information, the users should take extra care when defining access to them.

@@ -381,6 +384,8 @@ To learn how to assign privileges to a role, refer to [](/deploy-manage/users-ro

This privilege is not available in {{serverless-full}}.

`read_failure_store`
: Read-only access to actions performed on a data stream's failure store. Required for access to failure store data (count, explain, get, mget, get indexed scripts, more like this, multi percolate/search/termvector, percolate, scroll, clear_scroll, search, suggest, tv).

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The manage_failure_store and read_failure_store privileges are special in terms that they only grant access to failure store when accessed through data stream names using ::failures selector. We should try and highlight somehow that these privileges cannot be used to grant direct read/manage access to failure store backing indices (.fs*) or any other regular indices. Hence, they should only be granted to data streams that have failure store enabled.

@slobodanadamovic
Copy link

Is there anywhere else that we should expand with more failure store info for security beyond that reference?

No, that's the only place we should document them.

I left some comments. I think we should try to point out that the new privileges are only granting access to failure store when accessed using ::failures selector, but I'm blanking on a concrete suggestion right now. Will try to think overnight.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants