From d3a3cefc73bba87fed0ab55a76e78c6ca76c538a Mon Sep 17 00:00:00 2001
From: Patrick Mueller <patrick.mueller@elastic.co>
Date: Tue, 14 Jan 2020 23:47:55 -0500
Subject: [PATCH] add readme note about alerting / manage_api_key cluster
 privilege (#54639)

partially resolves https://github.com/elastic/kibana/issues/54525
---
 x-pack/legacy/plugins/alerting/README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/x-pack/legacy/plugins/alerting/README.md b/x-pack/legacy/plugins/alerting/README.md
index 30d34bd3b436d6..d5e9dcb76caa4a 100644
--- a/x-pack/legacy/plugins/alerting/README.md
+++ b/x-pack/legacy/plugins/alerting/README.md
@@ -32,6 +32,14 @@ When security is enabled, an SSL connection to Elasticsearch is required in orde
 
 When security is enabled, users who create alerts will need the `manage_api_key` cluster privilege. There is currently work in progress to remove this requirement.
 
+Note that the `manage_own_api_key` cluster privilege is not enough - it can be used to create API keys, but not invalidate them, and the alerting plugin currently both creates and invalidates APIs keys as part of it's processing.  When using only the `manage_own_api_key` privilege, you will see the following message logged in the server when the alerting plugin attempts to invalidate an API key:
+
+```
+[error][alerting][plugins] Failed to invalidate API Key: [security_exception] \
+    action [cluster:admin/xpack/security/api_key/invalidate] \
+    is unauthorized for user [user-name-here]
+```
+
 ## Alert types
 
 ### Methods