Skip to content

Commit

Permalink
[Fleet] Allow Kibana system user to read and write to Fleet server in…
Browse files Browse the repository at this point in the history 
…dices
  • Loading branch information
@nchaulet
nchaulet committed Jan 19, 2021
1 parent f5dfa7b commit 7719096
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 0 deletions.
19 changes: 19 additions & 0 deletions ...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,25 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
RoleDescriptor.IndicesPrivileges.builder()
.indices(".logs-endpoint.diagnostic.collection-*")
.privileges("read").build(),
// Fleet Server indices Kibana read and write to these indices to manage Elastic Agents
RoleDescriptor.IndicesPrivileges.builder()
.indices(".fleet-agents")
.privileges("read", "write").build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices(".fleet-actions")
.privileges("read", "write").build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices(".fleet-actions-results")
.privileges("read", "write").build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices(".fleet-enrollment-api-keys")
.privileges("read", "write").build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices(".fleet-policies")
.privileges("read", "write").build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices(".fleet-servers")
.privileges("read", "write").build(),
},
null,
new ConfigurableClusterPrivilege[] { new ManageApplicationPrivileges(Collections.singleton("kibana-*")) },
Expand Down
22 changes: 22 additions & 0 deletions .../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -481,6 +481,28 @@ public void testKibanaSystemRole() {
assertThat(kibanaRole.indices().allowedIndicesMatcher(READ_CROSS_CLUSTER_NAME).test(mockIndexAbstraction(index)), is(false));
});

// read and write indices for Fleet Server
Arrays.asList(
".fleet-agents",
".fleet-actions",
".fleet-actions-results",
".fleet-enrollment-api-keys",
".fleet-policies",
".fleet-servers"
).forEach((index) -> {
assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(mockIndexAbstraction(index)), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(mockIndexAbstraction(index)), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(GetIndexAction.NAME).test(mockIndexAbstraction(index)), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(mockIndexAbstraction(index)), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(mockIndexAbstraction(index)), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(mockIndexAbstraction(index)), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(mockIndexAbstraction(index)), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(mockIndexAbstraction(index)), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(mockIndexAbstraction(index)), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(mockIndexAbstraction(index)), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(READ_CROSS_CLUSTER_NAME).test(mockIndexAbstraction(index)), is(true));
});

// Data telemetry reads mappings, metadata and stats of indices
Arrays.asList(randomAlphaOfLengthBetween(8, 24), "packetbeat-*", "logs-*").forEach((index) -> {
Expand Down

0 comments on commit 7719096

Please sign in to comment.