Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] Added all privilege to kibana_system to logs-fleet_server.* index pattern #106815

Merged
merged 3 commits into from
Mar 28, 2024
Merged

[Fleet] Added all privilege to kibana_system to logs-fleet_server.* index pattern #106815

merged 3 commits into from
Mar 28, 2024

Conversation

juliaElastic
Copy link
Contributor

  • Have you signed the contributor license agreement? yes
  • Have you followed the contributor guidelines? yes
  • If submitting code, have you built your formula locally prior to submission with gradle check? yes
  • If submitting code, is your pull request against main? Unless there is a good reason otherwise, we prefer pull requests against main and will backport as needed. yes
  • If submitting code, have you checked that your submission is for an OS and architecture that we support? yes
  • If you are submitting this code for a class then read our policy for that.

Giving all access, so that kibana_system can run the ILM policy to clean up the logs-fleet_server.output_health data stream defined here: elastic/integrations#8605

@juliaElastic juliaElastic self-assigned this Mar 27, 2024
@juliaElastic juliaElastic requested a review from a team as a code owner March 27, 2024 13:23
@elasticsearchmachine elasticsearchmachine added v8.14.0 Team:Core/Infra Meta label for core/infra team external-contributor Pull request authored by a developer outside the Elasticsearch team labels Mar 27, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@juliaElastic juliaElastic added auto-backport Automatically create backport pull requests when merged auto-backport-and-merge and removed auto-backport Automatically create backport pull requests when merged labels Mar 27, 2024
@kc13greiner kc13greiner self-requested a review March 27, 2024 13:36
@kc13greiner
Copy link
Contributor

Heya @juliaElastic!

I was wondering if there was a less broad privilege that could be granted to the kibana_system user on the logs-fleet_server* index than all that would still meet the functionality needed.

In the description, ILM is mentioned. Would a privilege manage_ilm work for these purposes? or could you provide more information about why all is required?

@juliaElastic
Copy link
Contributor Author

I was wondering if there was a less broad privilege that could be granted to the kibana_system user on the logs-fleet_server* index than all that would still meet the functionality needed.

In the description, ILM is mentioned. Would a privilege manage_ilm work for these purposes? or could you provide more information about why all is required?

Hi @kc13greiner, thanks for the review!

We had an error reported when kibana tried to run ILM to delete:

"error.message": "action [indices:admin/data_stream/delete] is unauthorized for user [kibana_system] with effective roles [kibana_system] on indices [logs-fleet_server.output_health-default], this action is granted by the index privileges [delete_index,manage,all]",

Do you think manage_ilm would be sufficient here? I'm okay to change this to a minimum privilege to run the ILM, AFAIK we don't need anything else.

@kc13greiner
Copy link
Contributor

@juliaElastic

Do you think manage_ilm would be sufficient here? I'm okay to change this to a minimum privilege to run the ILM, AFAIK we don't need anything else.

I can't say for sure 😅 I'm not as knowledgable with index privileges as I'd like!

Your latest change to read, delete_index LGTM 🚀

Thanks for reducing it!

kc13greiner
kc13greiner approved these changes Mar 27, 2024
View reviewed changes
Copy link
Contributor

@kc13greiner kc13greiner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

kibana_system is allowed higher privileges on logs-* ( and this is specifically logs-fleet_server) even though it is a data index, as they are documented as potential collisions here

@juliaElastic juliaElastic merged commit 4c556fc into elastic:main Mar 28, 2024
13 of 14 checks passed
@juliaElastic juliaElastic mentioned this pull request Mar 28, 2024
Merged
juliaElastic added a commit to juliaElastic/elasticsearch that referenced this pull request Mar 28, 2024
@juliaElastic
[Fleet] Added all privilege to kibana_system to logs-fleet_server.* i…
745bb7b 
…ndex pattern (elastic#106815)

* Update KibanaOwnedReservedRoleDescriptors.java

* replaced all with read, delete_index
@juliaElastic juliaElastic mentioned this pull request Mar 28, 2024
Merged
@elasticsearchmachine
Copy link
Collaborator

💚 Backport successful

Status Branch Result
8.13
8.12

juliaElastic added a commit to juliaElastic/elasticsearch that referenced this pull request Mar 28, 2024
@juliaElastic
[Fleet] Added all privilege to kibana_system to logs-fleet_server.* i…
d11440d 
…ndex pattern (elastic#106815)

* Update KibanaOwnedReservedRoleDescriptors.java

* replaced all with read, delete_index
elasticsearchmachine pushed a commit that referenced this pull request Mar 28, 2024
@juliaElastic
[Fleet] Added all privilege to kibana_system to logs-fleet_server.* i…
b96c1d5 
…ndex pattern (#106815) (#106863)

* Update KibanaOwnedReservedRoleDescriptors.java

* replaced all with read, delete_index
elasticsearchmachine pushed a commit that referenced this pull request Mar 28, 2024
@juliaElastic
[Fleet] Added all privilege to kibana_system to logs-fleet_server.* i…
1b74f7e 
…ndex pattern (#106815) (#106864)

* Update KibanaOwnedReservedRoleDescriptors.java

* replaced all with read, delete_index
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kc13greiner kc13greiner kc13greiner approved these changes

Assignees

@juliaElastic juliaElastic

Labels
:Core/Infra/Plugins Plugin API and infrastructure external-contributor Pull request authored by a developer outside the Elasticsearch team >non-issue Team:Core/Infra Meta label for core/infra team Team:Fleet v8.12.3 v8.13.1 v8.14.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@juliaElastic @elasticsearchmachine @kc13greiner