add readme note about alerting / manage_api_key cluster privilege (el…

…astic#54639) partially resolves elastic#54525
pmuellr · Jan 15, 2020 · cc217c1 · cc217c1
1 parent 7556436
commit cc217c1
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/x-pack/legacy/plugins/alerting/README.md b/x-pack/legacy/plugins/alerting/README.md
@@ -32,6 +32,14 @@ When security is enabled, an SSL connection to Elasticsearch is required in orde
 
 When security is enabled, users who create alerts will need the `manage_api_key` cluster privilege. There is currently work in progress to remove this requirement.
 
+Note that the `manage_own_api_key` cluster privilege is not enough - it can be used to create API keys, but not invalidate them, and the alerting plugin currently both creates and invalidates APIs keys as part of it's processing.  When using only the `manage_own_api_key` privilege, you will see the following message logged in the server when the alerting plugin attempts to invalidate an API key:
+
+```
+[error][alerting][plugins] Failed to invalidate API Key: [security_exception] \
+    action [cluster:admin/xpack/security/api_key/invalidate] \
+    is unauthorized for user [user-name-here]
+```
+
 ## Alert types
 
 ### Methods