Restrict APM Server user role

[barkbay]

Fixes #2661

This PR:

• Adds a role called default_apm_user_role (name can be discussed ofc) to allow APM Server instances to setup and manage apm-* indices:

default_apm_user_role:
      cluster:
      - monitor
      - manage_ilm
      indices:
      - names:
        - apm-*
        privileges:
        - manage
        - create_doc
        - create_index

• Adds the APM users to the role described above and also to the built-in roles kibana_user and ingest_admin

I did some tests and it seems to work fine but I would be glad to have a quick review of the role by @simitt or @graphaelli. Thanks 🙇

[pebrc]

LGTM, but deferring to the APM folks for approval.

[sebgl]

@simitt @graphaelli should this role be builtin Elasticsearch, similar to the kibana user role?

[simitt]

Generally looks good, the monitoring privileges need to be applied to the .monitoring-beats-* index though, and I think we can be more restrictive wrt Kibana privileges.

Just as information: with 7.6 we released experimental support of API Key auth for communication between APM agents and APM Server. The APM Server provides a CLI tool to manage such API Keys. The required privileges for that are the manage_api_key on clusters, and adding specific APM application privileges.
Since this API Key tooling needs manual interaction anyways, I think it is fair to not add the privileges here, and assume the users either provide a superuser role when managing API Keys or add the privileges themselves.

UPDATE:
It is ok to not add the additional application privileges, but manage_api_key should be added to the cluster privileges, as it is required for the APM Server verifying API keys created by another user.

[simitt]

For fetching agent remote config from Kibana the APM Server needs to have read+write access to apm indices, for which we should grant the built in apm_user role rather than the more exhaustive kibana_user afaik (cc @elastic/apm-ui).

[simitt]

The privileges required for agent configuration management I was referring to above, need to be set for the user talking to Kibana (apm-server.kibana), but not for the elasticsearch user.
Based on the explanation in https://github.com/elastic/cloud-on-k8s/pull/2777/files#r400078619 the apmDefaultRoles will only be used for writing to ES. In this case no Kibana privileges are required for any APM Server >= 7.0, as dashboards are no longer shipped with the APM Server.

[simitt]

@elastic/apm-server for visibility

[anyasabo]

Can you help me understand the difference between ApmDefaultUserRole and this? It seems like we could put ingest_admin in the cluster role def there along with monitor and manage_ilm, right?

[barkbay]

apmDefaultRoles is a collection of roles which contain the role ApmDefaultUserRole
monitor and manage_ilm are privileges, while ingest_admin is a built-in role.

I'm not sure we can mix a built-in role along with privileges ?

[barkbay]

Just as information: with 7.6 we released experimental support of API Key auth for communication between APM agents and APM Server. The APM Server provides a CLI tool to manage such API Keys. The required privileges for that are the manage_api_key on clusters, and adding specific APM application privileges.

manage_api_key seems to exist only in 7.5.x, I'm still a little bit new re. roles in Elasticsearch but I guess it means that we would have to manage 2 different roles: one for ES < 7.5 and an other for ES >= 7.5.

In this case no Kibana privileges are required for any APM Server >= 7.0, as dashboards are no longer shipped with the APM Server.

Same here, we still support 6.8. I would keep apm_user in the list of roles for backward compatibility.

[barkbay]

It is a little bit more complicated that what I thought :)

Any attempt to start the APM server with a privilege that does not exist makes the request fail with something like:

Failed to connect to backoff(elasticsearch(https://es-apm-sample-es-http.default.svc:9200)): 400 Bad Request: {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"unknown index privilege [create_doc]. a privilege must be either one of the predefined fixed indices privileges ... or a pattern over one of the available cluster actions

If I understand correctly:

• For 6.8 we would need this kind of role (doc ref):

{
  "cluster": ["manage_index_templates","monitor"],
  "indices": [
    {
      "names": [ "apm-*" ], 
      "privileges": ["write","create_index"]
    }
  ]
}

• From 7.x to 7.4 (incl.) we can use the setup role described here (which seems to be the one described in this PR) but we can't use create_doc or manage_api_key which have been introduced in 7.5.

• Starting from 7.5 we can introduce create_doc and manage_api_key

[simitt]

Not sure if that helps, but in our integration testing where we can start different versions inkl. 6.8 and early 7.x versions we use a user that has following custom role:

apm_server:
  cluster: ['manage_ilm', 'manage_security', 'manage_api_key'] 
  indices:
    - names: ['apm-*']
      privileges: ['write', 'create_index', 'manage', 'manage_ilm']

and also built-in roles apm_server and apm_system
(see roles and users_roles)
Note: the manage_security role is only necessary when using the apm-server apikey CLI, which I don't think is necessary on ECK for now.

[barkbay]

Not sure if that helps, but in our integration testing where we can start different versions inkl. 6.8 and early 7.x versions we use a user that has following custom role:

This does not work for me. If I try to start an 6.8 APM Server with the "manage_api_key" privilege I have the following error:

2020-03-31T14:38:28.406Z	ERROR	pipeline/output.go:100	Failed to connect to backoff(elasticsearch(https://es-apm-sample-es-http.default.svc:9200)): 400 Bad Request:
{
	"error": {
		"root_cause": [{
			"type": "illegal_argument_exception",
			"reason": "unknown cluster privilege [[manage_index_templates, monitor, manage_api_key]]. a privilege must be either one of the predefined fixed cluster privileges [all=[all],monitor_ml=[monitor_ml],manage_ilm=[manage_ilm],manage_ingest_pipelines=[manage_ingest_pipelines],read_ccr=[read_ccr],monitor_watcher=[monitor_watcher],manage_index_templates=[manage_index_templates],manage_ccr=[manage_ccr],monitor=[monitor],manage_rollup=[manage_rollup],none=[none],manage_watcher=[manage_watcher],read_ilm=[read_ilm],manage=[manage],manage_token=[manage_token],manage_ml=[manage_ml],manage_pipeline=[manage_pipeline],monitor_rollup=[monitor_rollup],transport_client=[transport_client],manage_security=[manage_security],manage_saml=[manage_saml],create_snapshot=[create_snapshot]] or a pattern over one of the available cluster actions"
		}],
		"type": "illegal_argument_exception",
		"reason": "unknown cluster privilege [[manage_index_templates, monitor, manage_api_key]]. a privilege must be either one of the predefined fixed cluster privileges [all=[all],monitor_ml=[monitor_ml],manage_ilm=[manage_ilm],manage_ingest_pipelines=[manage_ingest_pipelines],read_ccr=[read_ccr],monitor_watcher=[monitor_watcher],manage_index_templates=[manage_index_templates],manage_ccr=[manage_ccr],monitor=[monitor],manage_rollup=[manage_rollup],none=[none],manage_watcher=[manage_watcher],read_ilm=[read_ilm],manage=[manage],manage_token=[manage_token],manage_ml=[manage_ml],manage_pipeline=[manage_pipeline],monitor_rollup=[monitor_rollup],transport_client=[transport_client],manage_security=[manage_security],manage_saml=[manage_saml],create_snapshot=[create_snapshot]] or a pattern over one of the available cluster actions"
	},
	"status": 400
}

[simitt]

@barkbay you are right, I only checked that the server can start up. Since API Key handling is only an experimental feature and it seems to be the last blocking bit, I suggest to go ahead without this privilege for now.
Is the APM Server the only component where different privileges and roles available and required for different versions becomes an issue? I could imagine that this is not an APM specific problem.

[barkbay]

My understanding is that we need at least 2 different roles: one for v6 and an other v7, because of the manage_ilm privilege for example which does not exist in v6 but is required in v7.

The benefit of a third one for > 7.5 would be to add the manage_api_key privilege but also replace write by create_doc which seems more restrictive from a security pov.

I have no strong opinion but I think that if we have to manage 2 roles we can add a third one.

[simitt]

Thank you for all the effort you put into this. LGTM

[pebrc]

LGTM!

[pebrc]

Why are we calling it the association user? Is it not just the user APM Server will use to connect to Elasticsearch?

[barkbay]

Thanks all for your help and the review 🙇 !