[DOCS] Adds watcher and security troubleshooting and limitations

docs/en/stack/limitations.asciidoc

@@ -22,11 +22,11 @@ https://www.elastic.co/blog/elastic-stack-6-0-0-alpha1-released[Elastic Stack 6.
 * <<ml-limitations, X-Pack machine learning>>
 
 --
-:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/security/limitations.asciidoc
-include::{xes-repo-dir}/security/limitations.asciidoc[]
+:edit_url: https://github.com/elastic/stack-docs/edit/{branch}/docs/en/stack/security/limitations.asciidoc
+include::security/limitations.asciidoc[]
 
-:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/watcher/limitations.asciidoc
-include::{xes-repo-dir}/watcher/limitations.asciidoc[]
+:edit_url: https://github.com/elastic/stack-docs/edit/{branch}/docs/en/stack/watcher/limitations.asciidoc
+include::watcher/limitations.asciidoc[]
 
 :edit_url: https://github.com/elastic/stack-docs/edit/{branch}/docs/en/stack/ml/limitations.asciidoc
 include::ml/limitations.asciidoc[]

docs/en/stack/security/limitations.asciidoc

@@ -0,0 +1,87 @@
+[role="xpack"]
+[[security-limitations]]
+== Security Limitations
+
+[float]
+=== Plugins
+
+Elasticsearch's plugin infrastructure is extremely flexible in terms of what can
+be extended. While it opens up Elasticsearch to a wide variety of (often custom)
+additional functionality, when it comes to security, this high extensibility level
+comes at a cost. We have no control over the third-party plugins' code (open
+source or not) and therefore we cannot guarantee their compliance with {security}.
+For this reason, third-party plugins are not officially supported on clusters
+with {security} enabled.
+
+[float]
+=== Changes in Index Wildcard Behavior
+
+Elasticsearch clusters with {security} enabled apply the `/_all` wildcard, and
+all other wildcards, to the indices that the current user has privileges for, not
+the set of all indices on the cluster.
+
+[float]
+=== Multi Document APIs
+
+Multi get and multi term vectors API throw IndexNotFoundException when trying to access non existing indices that the user is
+not authorized for. By doing that they leak information regarding the fact that the index doesn't exist, while the user is not
+authorized to know anything about those indices.
+
+[float]
+=== Filtered Index Aliases
+
+Aliases containing filters are not a secure way to restrict access to individual
+documents, due to the limitations described in <<alias-limitations, Index and Field Names Can Be Leaked When Using Aliases>>.
+{security} provides a secure way to restrict access to documents through the
+<<field-and-document-access-control, document-level security>> feature.
+
+[float]
+=== Field and Document Level Security Limitations
+
+When a user's role enables document or field level security for an index:
+
+* The user cannot perform write operations:
+** The update API isn't supported.
+** Update requests included in bulk requests aren't supported.
+* The request cache is disabled for search requests.
+
+When a user's role enables document level security for an index:
+
+* Document level security isn't applied for APIs that aren't document based.
+  An example is the field stats API.
+* Document level security doesn't affect global index statistics that relevancy
+  scoring uses. So this means that scores are computed without taking the role
+  query into account. Note that documents not matching with the role query are
+  never returned.
+* The `has_child` and `has_parent` queries aren't supported as query in the
+  role definition. The `has_child` and `has_parent` queries can be used in the
+  search API with document level security enabled.
+* Any query that makes remote calls to fetch data to query by isn't supported.
+  The following queries aren't supported:
+** The `terms` query with terms lookup isn't supported.
+** The `geo_shape` query with indexed shapes isn't supported.
+** The `percolate` query isn't supported.
+* If suggesters are specified and document level security is enabled then
+  the specified suggesters are ignored.
+* A search request cannot be profiled if document level security is enabled.
+
+[float]
+[[alias-limitations]]
+=== Index and Field Names Can Be Leaked When Using Aliases
+
+Calling certain Elasticsearch APIs on an alias can potentially leak information
+about indices that the user isn't authorized to access. For example, when you get
+the mappings for an alias with the `_mapping` API, the response includes the
+index name and mappings for each index that the alias applies to.
+
+Until this limitation is addressed, avoid index and field names that contain
+confidential or sensitive information.
+
+[float]
+=== LDAP Realm
+
+The <<ldap-realm, LDAP Realm>> does not currently support the discovery of nested
+LDAP Groups.  For example, if a user is a member of `group_1` and `group_1` is a
+member of `group_2`, only `group_1` will be discovered. However, the
+<<active-directory-realm, Active Directory Realm>> *does* support transitive
+group membership.