You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description of the problem including expected versus actual behavior:
When kibana (or any user with insufficient permissions, but kibana is the only common one) installs the APM integration the ILM delete phase for APM data streams fail. This is particularly relevant for ESS, where the kibana system user commonly installs the APM Integration.
Steps to reproduce:
Apply this patch to a recent apm-server checkout, this was against fd4ee95, to configure auto installation of the APM integration (this also shortens the ILM policy while we're at it):
# assemble the APM integration package
make build-package
# start all services including local EPR
docker-compose up -d
# ingest a trace
curl -i -H "Content-type: application/x-ndjson" --data-binary @testdata/intake-v2/events.ndjson http://localhost:8200/intake/v2/events
Now wait a few minutes or force ILM with:
POST traces-apm-default/_rollover
{
"conditions": {
"max_docs": "0"
}
}
and note that ILM delete phase will fail:
security_exception: action [indices:admin/delete] is unauthorized for user [kibana_system_user] with roles [kibana_system] on indices [.ds-traces-apm-default-2022.03.17-000001], this action is granted by the index privileges [delete_index,manage,all]
One fix for this is expanding kibana_system delete permissions in Elasticsearch. There is a workaround until that (or another suitable solution) is in place, for example for older clusters - re-save the ILM policy as a user that does have permissions to both roll the data stream over and delete the underlying indices. After doing that in kibana on /app/management/data/index_lifecycle_management/policies/edit/traces-apm.traces-default_policy a retry of the ILM policy execution succeeded:
POST .ds-traces-apm-default-2022.03.17-000001/_ilm/retry
APM Server version: 8.2.0-SNAPSHOT
Description of the problem including expected versus actual behavior:
When kibana (or any user with insufficient permissions, but kibana is the only common one) installs the APM integration the ILM delete phase for APM data streams fail. This is particularly relevant for ESS, where the kibana system user commonly installs the APM Integration.
Steps to reproduce:
Apply this patch to a recent apm-server checkout, this was against fd4ee95, to configure auto installation of the APM integration (this also shortens the ILM policy while we're at it):
Then:
Now wait a few minutes or force ILM with:
and note that ILM delete phase will fail:
I think rollover works fine because of: https://github.com/elastic/elasticsearch/blob/3a5a15b633273efef626b57ee0c1c2e5f09fb695/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java#L743-L756 but delete fails because it's too specific here: https://github.com/elastic/elasticsearch/blob/3a5a15b633273efef626b57ee0c1c2e5f09fb695/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java#L771-L775
Some good news
One fix for this is expanding
kibana_system
delete permissions in Elasticsearch. There is a workaround until that (or another suitable solution) is in place, for example for older clusters - re-save the ILM policy as a user that does have permissions to both roll the data stream over and delete the underlying indices. After doing that in kibana on/app/management/data/index_lifecycle_management/policies/edit/traces-apm.traces-default_policy
a retry of the ILM policy execution succeeded:triggered:
The text was updated successfully, but these errors were encountered: