Skip to content

Commit

Permalink
Add delete privilege to kibana_system for APM
Browse files Browse the repository at this point in the history
  • Loading branch information
axw committed Mar 18, 2022
1 parent 6766e88 commit fe2e8c4
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 15 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -770,7 +770,17 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) {
.build(),
// For ILM policy for APM & Endpoint packages that have delete action
RoleDescriptor.IndicesPrivileges.builder()
.indices(".logs-endpoint.diagnostic.collection-*", "traces-apm.sampled-*")
.indices(
".logs-endpoint.diagnostic.collection-*",
"logs-apm.app-*",
"logs-apm.error-*",
"metrics-apm.app.*",
"metrics-apm.internal-*",
"metrics-apm.profiling-*",
"traces-apm-*",
"traces-apm.rum-*",
"traces-apm.sampled-*"
)
.privileges(DeleteIndexAction.NAME)
.build(),
// For src/dest indices of the Endpoint package that ships a transform
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -865,8 +865,15 @@ public void testKibanaSystemRole() {
assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(indexAbstraction), is(isAlsoReadIndex));
assertThat(kibanaRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(indexAbstraction), is(isAlsoReadIndex));

// Endpoint diagnostic and sampled traces data streams also have an ILM policy with a delete action, all others should not.
// Endpoint diagnostic and APM data streams also have an ILM policy with a delete action, all others should not.
final boolean isAlsoIlmDeleteIndex = indexName.startsWith(".logs-endpoint.diagnostic.collection-")
|| indexName.startsWith("logs-apm.app-")
|| indexName.startsWith("logs-apm.error-")
|| indexName.startsWith("metrics-apm.app.")
|| indexName.startsWith("metrics-apm.internal-")
|| indexName.startsWith("metrics-apm.profiling-")
|| indexName.startsWith("traces-apm-")
|| indexName.startsWith("traces-apm.rum-")
|| indexName.startsWith("traces-apm.sampled-");
assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(isAlsoIlmDeleteIndex));
});
Expand Down Expand Up @@ -928,28 +935,23 @@ public void testKibanaSystemRole() {
});

// Ensure privileges necessary for ILM policies in APM & Endpoint packages
Arrays.asList(
"metrics-apm.app-" + randomAlphaOfLengthBetween(3, 8),
"metrics-apm.internal-" + randomAlphaOfLengthBetween(3, 8),
"metrics-apm.profiling-" + randomAlphaOfLengthBetween(3, 8),
"logs-apm.error_logs-" + randomAlphaOfLengthBetween(3, 8),
"traces-apm-" + randomAlphaOfLengthBetween(3, 8)
).forEach(indexName -> {
logger.info("index name [{}]", indexName);
final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);

assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
});
Arrays.asList(
".logs-endpoint.diagnostic.collection-" + randomAlphaOfLengthBetween(3, 8),
"logs-apm.app-*" + randomAlphaOfLengthBetween(3, 8),
"logs-apm.error-*" + randomAlphaOfLengthBetween(3, 8),
"metrics-apm.app.*" + randomAlphaOfLengthBetween(3, 8),
"metrics-apm.internal-*" + randomAlphaOfLengthBetween(3, 8),
"metrics-apm.profiling-*" + randomAlphaOfLengthBetween(3, 8),
"traces-apm-*" + randomAlphaOfLengthBetween(3, 8),
"traces-apm.rum-*" + randomAlphaOfLengthBetween(3, 8),
"traces-apm.sampled-" + randomAlphaOfLengthBetween(3, 8)
).forEach(indexName -> {
logger.info("index name [{}]", indexName);
final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);

assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));
});
}

Expand Down

0 comments on commit fe2e8c4

Please sign in to comment.