From 70ad20db14bb340fce238f3de87d6fabeabdba0e Mon Sep 17 00:00:00 2001 From: David Roberts Date: Wed, 6 Feb 2019 12:27:20 +0000 Subject: [PATCH 1/2] [DOCS] Add warning about bypassing ML PUT APIs Now that ML configurations are stored in the .ml-config index rather than in cluster state there is a possibility that some users may try to add configurations directly to the index. Allowing this creates a variety of problems including possible data exflitration attacks (depending on how security is set up), so this commit adds warnings against allowing writes to the .ml-config index other than via the ML APIs. --- docs/reference/ml/apis/put-datafeed.asciidoc | 5 +++++ docs/reference/ml/apis/put-job.asciidoc | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/reference/ml/apis/put-datafeed.asciidoc b/docs/reference/ml/apis/put-datafeed.asciidoc index 18c611e97cac1..1af073dcdaed8 100644 --- a/docs/reference/ml/apis/put-datafeed.asciidoc +++ b/docs/reference/ml/apis/put-datafeed.asciidoc @@ -19,6 +19,11 @@ Instantiates a {dfeed}. You must create a job before you create a {dfeed}. You can associate only one {dfeed} to each job. +IMPORTANT: Putting a {dfeed} must be done via this API only. Do not put a {dfeed} + directly to the `.ml-config` index using the Elasticsearch Index API. + If {es} {security-features} are enabled, make sure no `write` + privileges are granted to anyone over the `.ml-config` index. + ==== Path Parameters diff --git a/docs/reference/ml/apis/put-job.asciidoc b/docs/reference/ml/apis/put-job.asciidoc index 4abeebee3e47a..11bbf76f366e3 100644 --- a/docs/reference/ml/apis/put-job.asciidoc +++ b/docs/reference/ml/apis/put-job.asciidoc @@ -12,7 +12,13 @@ Instantiates a job. `PUT _ml/anomaly_detectors/` -//===== Description +===== Description + +IMPORTANT: Putting a job must be done via this API only. Do not put a job + directly to the `.ml-config` index using the Elasticsearch Index API. + If {es} {security-features} are enabled, make sure no `write` + privileges are granted to anyone over the `.ml-config` index. + ==== Path Parameters From dfa1004ed02f3e6e09645401ea9bc6153a0e8a6c Mon Sep 17 00:00:00 2001 From: Lisa Cawley Date: Thu, 7 Feb 2019 10:14:45 +0000 Subject: [PATCH 2/2] Apply suggestions from code review Co-Authored-By: droberts195 --- docs/reference/ml/apis/put-datafeed.asciidoc | 8 ++++---- docs/reference/ml/apis/put-job.asciidoc | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/reference/ml/apis/put-datafeed.asciidoc b/docs/reference/ml/apis/put-datafeed.asciidoc index 1af073dcdaed8..05e02ce3615df 100644 --- a/docs/reference/ml/apis/put-datafeed.asciidoc +++ b/docs/reference/ml/apis/put-datafeed.asciidoc @@ -19,10 +19,10 @@ Instantiates a {dfeed}. You must create a job before you create a {dfeed}. You can associate only one {dfeed} to each job. -IMPORTANT: Putting a {dfeed} must be done via this API only. Do not put a {dfeed} - directly to the `.ml-config` index using the Elasticsearch Index API. - If {es} {security-features} are enabled, make sure no `write` - privileges are granted to anyone over the `.ml-config` index. +IMPORTANT: You must use {kib} or this API to create a {dfeed}. Do not put a {dfeed} + directly to the `.ml-config` index using the Elasticsearch index API. + If {es} {security-features} are enabled, do not give users `write` + privileges on the `.ml-config` index. ==== Path Parameters diff --git a/docs/reference/ml/apis/put-job.asciidoc b/docs/reference/ml/apis/put-job.asciidoc index 11bbf76f366e3..e3d80c276dc55 100644 --- a/docs/reference/ml/apis/put-job.asciidoc +++ b/docs/reference/ml/apis/put-job.asciidoc @@ -14,10 +14,10 @@ Instantiates a job. ===== Description -IMPORTANT: Putting a job must be done via this API only. Do not put a job - directly to the `.ml-config` index using the Elasticsearch Index API. - If {es} {security-features} are enabled, make sure no `write` - privileges are granted to anyone over the `.ml-config` index. +IMPORTANT: You must use {kib} or this API to create a {ml} job. Do not put a job + directly to the `.ml-config` index using the Elasticsearch index API. + If {es} {security-features} are enabled, do not give users `write` + privileges on the `.ml-config` index. ==== Path Parameters