Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove apm_user role #116712

Merged
merged 6 commits into from
Nov 18, 2024
+0 −149
Merged

Remove apm_user role #116712

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
98b1435
Remove apm_user role
cauemarcondes Nov 13, 2024
22bcc1a
Merge branch 'main' into remove-apm-user
elasticmachine Nov 14, 2024
8b094f9
Merge branch 'main' into remove-apm-user
elasticmachine Nov 14, 2024
8ec516c
Merge branch 'main' into remove-apm-user
elasticmachine Nov 18, 2024
ba62479
Merge branch 'main' into remove-apm-user
elasticmachine Nov 18, 2024
4f088b4
Merge branch 'main' into remove-apm-user
elasticmachine Nov 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions docs/reference/security/authorization/built-in-roles.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,6 @@ roles have a fixed set of privileges and cannot be updated.
Grants access necessary for the APM system user to send system-level data
(such as monitoring) to {es}.

[[built-in-roles-apm-user]] `apm_user` ::
Grants the privileges required for APM users (such as `read` and
`view_index_metadata` privileges on the `apm-*` and `.ml-anomalies*` indices).
deprecated:[7.13.0,"See {kibana-ref}/apm-app-users.html[APM app users and privileges\] for alternatives."].

[[built-in-roles-beats-admin]] `beats_admin` ::
Grants access to the `.management-beats` index, which contains configuration
information for the Beats.
Expand Down
61 changes: 0 additions & 61 deletions ...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -402,67 +402,6 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
"Grants access necessary for the APM system user to send system-level data (such as monitoring) to Elasticsearch.\n"
)
),
entry(
"apm_user",
new RoleDescriptor(
"apm_user",
null,
new RoleDescriptor.IndicesPrivileges[] {
// Self managed APM Server
// Can be removed in 8.0
RoleDescriptor.IndicesPrivileges.builder().indices("apm-*").privileges("read", "view_index_metadata").build(),

// APM Server under fleet (data streams)
RoleDescriptor.IndicesPrivileges.builder().indices("logs-apm.*").privileges("read", "view_index_metadata").build(),
RoleDescriptor.IndicesPrivileges.builder().indices("logs-apm-*").privileges("read", "view_index_metadata").build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices("metrics-apm.*")
.privileges("read", "view_index_metadata")
.build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices("metrics-apm-*")
.privileges("read", "view_index_metadata")
.build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices("traces-apm.*")
.privileges("read", "view_index_metadata")
.build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices("traces-apm-*")
.privileges("read", "view_index_metadata")
.build(),

// Machine Learning indices. Only needed for legacy reasons
// Can be removed in 8.0
RoleDescriptor.IndicesPrivileges.builder()
.indices(".ml-anomalies*")
.privileges("read", "view_index_metadata")
.build(),

// Annotations
RoleDescriptor.IndicesPrivileges.builder()
.indices("observability-annotations")
.privileges("read", "view_index_metadata")
.build() },
new RoleDescriptor.ApplicationResourcePrivileges[] {
RoleDescriptor.ApplicationResourcePrivileges.builder()
.application("kibana-*")
.resources("*")
.privileges("reserved_ml_apm_user")
.build() },
null,
null,
MetadataUtils.getDeprecatedReservedMetadata(
"This role will be removed in a future major release. Please use editor and viewer roles instead"
),
null,
null,
null,
null,
"Grants the privileges required for APM users (such as read and view_index_metadata privileges "
+ "on the apm-* and .ml-anomalies* indices)."
)
),
entry(
"inference_admin",
new RoleDescriptor(
Expand Down
83 changes: 0 additions & 83 deletions .../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3058,89 +3058,6 @@ public void testAPMSystemRole() {
assertNoAccessAllowed(APMSystemRole, XPackPlugin.ASYNC_RESULTS_INDEX + randomAlphaOfLengthBetween(0, 2));
}

public void testAPMUserRole() {
final TransportRequest request = mock(TransportRequest.class);
final Authentication authentication = AuthenticationTestHelper.builder().build();

final RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("apm_user");
assertNotNull(roleDescriptor);
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));

final String allowedApplicationActionPattern = "example/custom/action/*";
final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana");
Role role = Role.buildFromRoleDescriptor(
roleDescriptor,
new FieldPermissionsCache(Settings.EMPTY),
RESTRICTED_INDICES,
List.of(
new ApplicationPrivilegeDescriptor(
kibanaApplicationWithRandomIndex,
"reserved_ml_apm_user",
Set.of(allowedApplicationActionPattern),
Map.of()
)
)
);

assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false));
assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 12)), is(false));

assertNoAccessAllowed(role, "foo");
assertNoAccessAllowed(role, "foo-apm");
assertNoAccessAllowed(role, "foo-logs-apm.bar");
assertNoAccessAllowed(role, "foo-logs-apm-bar");
assertNoAccessAllowed(role, "foo-traces-apm.bar");
assertNoAccessAllowed(role, "foo-traces-apm-bar");
assertNoAccessAllowed(role, "foo-metrics-apm.bar");
assertNoAccessAllowed(role, "foo-metrics-apm-bar");

assertOnlyReadAllowed(role, "logs-apm." + randomIntBetween(0, 5));
assertOnlyReadAllowed(role, "logs-apm-" + randomIntBetween(0, 5));
assertOnlyReadAllowed(role, "traces-apm." + randomIntBetween(0, 5));
assertOnlyReadAllowed(role, "traces-apm-" + randomIntBetween(0, 5));
assertOnlyReadAllowed(role, "metrics-apm." + randomIntBetween(0, 5));
assertOnlyReadAllowed(role, "metrics-apm-" + randomIntBetween(0, 5));
assertOnlyReadAllowed(role, "apm-" + randomIntBetween(0, 5));
assertOnlyReadAllowed(role, AnomalyDetectorsIndexFields.RESULTS_INDEX_PREFIX + AnomalyDetectorsIndexFields.RESULTS_INDEX_DEFAULT);

assertOnlyReadAllowed(role, "observability-annotations");

assertThat(
role.application().grants(ApplicationPrivilegeTests.createPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"),
is(false)
);
assertThat(
role.application()
.grants(
ApplicationPrivilegeTests.createPrivilege(
kibanaApplicationWithRandomIndex,
"app-reserved_ml_apm_user",
allowedApplicationActionPattern
),
"*"
),
is(true)
);

final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24);
assertThat(
role.application().grants(ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-foo", "foo"), "*"),
is(false)
);
assertThat(
role.application()
.grants(
ApplicationPrivilegeTests.createPrivilege(
otherApplication,
"app-reserved_ml_apm_user",
allowedApplicationActionPattern
),
"*"
),
is(false)
);
}

public void testMachineLearningAdminRole() {
final TransportRequest request = mock(TransportRequest.class);
final Authentication authentication = AuthenticationTestHelper.builder().build();
Expand Down