Deprecate using slm privileges to access ilm (#110540) (#110550)

Currently, read_slm privilege grants access to get the ILM status, and manage_slm grants access to start/stop ILM. This access will be removed in the future, but needs to be deprecated before removal. Add deprecation warning to the read_slm and manage_slm docs.
elastic · Jul 5, 2024 · 6e99d5d · 6e99d5d
1 parent 779a5f0
commit 6e99d5d
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/docs/changelog/110540.yaml b/docs/changelog/110540.yaml
@@ -0,0 +1,16 @@
+pr: 110540
+summary: Deprecate using slm privileges to access ilm
+area: ILM+SLM
+type: deprecation
+issues: []
+deprecation:
+  title: Deprecate using slm privileges to access ilm
+  area: REST API
+  details: The `read_slm` privilege can get the ILM status, and
+    the `manage_slm` privilege can start and stop ILM. Access to these 
+    APIs should be granted using the `read_ilm` and `manage_ilm` privileges
+    instead. Access to ILM APIs will be removed from SLM privileges in
+    a future major release, and is now deprecated.
+  impact: Users that need access to the ILM status API should now 
+    use the `read_ilm` privilege. Users that need to start and stop ILM, 
+    should use the `manage_ilm` privilege.
diff --git a/docs/reference/security/authorization/privileges.asciidoc b/docs/reference/security/authorization/privileges.asciidoc
@@ -2,7 +2,7 @@
 === Security privileges
 :frontmatter-description: A list of privileges that can be assigned to user roles.
 :frontmatter-tags-products: [elasticsearch]
-:frontmatter-tags-content-type: [reference] 
+:frontmatter-tags-content-type: [reference]
 :frontmatter-tags-user-goals: [secure]
 
 This section lists the privileges that you can assign to a role.
@@ -198,6 +198,10 @@ All {slm} ({slm-init}) actions, including creating and updating policies and
 starting and stopping {slm-init}.
 +
 This privilege is not available in {serverless-full}.
++
+deprecated:[8.15] Also grants the permission to start and stop {Ilm}, using
+the {ref}/ilm-start.html[ILM start] and {ref}/ilm-stop.html[ILM stop] APIs.
+In a future major release, this privilege will not grant any {Ilm} permissions.
 
 `manage_token`::
 All security-related operations on tokens that are generated by the {es} Token
@@ -285,6 +289,10 @@ All read-only {slm-init} actions, such as getting policies and checking the
 {slm-init} status.
 +
 This privilege is not available in {serverless-full}.
++
+deprecated:[8.15] Also grants the permission to get the {Ilm} status, using
+the {ref}/ilm-get-status.html[ILM get status API]. In a future major release,
+this privilege will not grant any {Ilm} permissions.
 
 `read_security`::
 All read-only security-related operations, such as getting users, user profiles,