Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Monitoring] Add ability for monitoring_user role to read from metricbeat-* #71233

Merged
merged 2 commits into from
May 25, 2021
Merged

[Monitoring] Add ability for monitoring_user role to read from metricbeat-* #71233

merged 2 commits into from
May 25, 2021

Conversation

chrisronline
Copy link
Contributor

Relates to elastic/kibana#90660

The Stack Monitoring UI will soon read from metricbeat-* indices and needs to adjust the reserved role to allow permission to this index.

@elasticsearchmachine elasticsearchmachine added the external-contributor Pull request authored by a developer outside the Elasticsearch team label Apr 2, 2021
@elasticmachine elasticmachine added Team:Data Management Meta label for data/management team Team:Security Meta label for security team labels Apr 2, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-features (Team:Core/Features)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@jakelandis
Copy link
Contributor

Changes LGTM from the monitoring side of things ... but let's let the security folks weigh in too.

@jakelandis
Copy link
Contributor

Looks like there is a checkstyle failure. You can see the exact problem and test the fix with ./gradlew :x-pack:plugin:core:checkstyleMain --info

This was referenced Apr 2, 2021
Closed
Merged
@albertzaharovits
Copy link
Contributor

In https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-metricbeat.html, for ingesting monitoring data we say:

If Elasticsearch security features are enabled on the monitoring cluster, you must provide a valid user ID and password so that Metricbeat can send metrics successfully:

Create a user on the monitoring cluster that has the remote_monitoring_agent built-in role.

and then for visualizing said data, we say:

If the Elastic security features are enabled on the monitoring cluster, you must provide a user ID and password so Kibana can retrieve the data.

Create a user that has the monitoring_user built-in role on the monitoring cluster.

Given that remote_monitoring_agent can index to both .monitoring* and metricbeat-*, I think it makes sense to permit the monitoring_user to read from all where remote_monitoring_agent can write.

I see no security concerns here.

Just a minor nit, please update ReservedRolesStoreTests#testMonitoringUserRole.

@neptunian neptunian mentioned this pull request May 25, 2021
Merged
@neptunian neptunian merged commit 822eb9d into elastic:master May 25, 2021
@neptunian
Copy link

Just a minor nit, please update ReservedRolesStoreTests#testMonitoringUserRole.

@albertzaharovits, @chrisronline is on a different team now so I went ahead and merged this. Our team doesn't typically commit to the elasticsearch repo so if you could make the change you requested, it would be greatly appreciated!

@chrisronline chrisronline deleted the mb_index branch May 25, 2021 15:07
@chrisronline chrisronline mentioned this pull request May 25, 2021
Merged
chrisronline added a commit that referenced this pull request May 25, 2021
@chrisronline
[Monitoring] Add ability for monitoring_user role to read from metric…
9758786 
…beat-* (#71233) (#73371)

* Add ability for monitoring_user role to read from metricbeat-*

* Fix style
@neptunian
Copy link

@albertzaharovits @chrisronline Do either of you know if I should be seeing this change reflected here:

GET /_security/role/monitoring_user

response{ "monitoring_user" : { "cluster" : [ "cluster:monitor/main", "cluster:monitor/xpack/info", "cluster:monitor/remote/info" ], "indices" : [ { "names" : [ ".monitoring-*" ], "privileges" : [ "read", "read_cross_cluster" ], "allow_restricted_indices" : false } ], "applications" : [ { "application" : "kibana-*", "privileges" : [ "reserved_monitoring" ], "resources" : [ "*" ] } ], "run_as" : [ ], "metadata" : { "_reserved" : true }, "transient_metadata" : { "enabled" : true } } }

Still getting failing functional tests likely because of this.

@albertzaharovits
Copy link
Contributor

@neptunian It works for me when I pull ES from the 7.x branch. I think the build you're testing hasn't caught up.

@jasonrhodes
Copy link
Member

@albertzaharovits thanks, do you know how long the delay is to get these changes in the yarn es snapshot flow / aka latest ES snapshots? Our Kibana functional tests are failing with this problem still, a day later. Not sure who to ask on this :)

@jasonrhodes
Copy link
Member

@albertzaharovits are you comfortable backporting this to the 7.13 branch so it goes out in the next 7.13.x patch release, if there is one? I just realized that Metricbeat 7.13 merged with the ability to ship data to metricbeat-* but without this change, users won't be able to see that data.

cc @sayden @ravikesarwani (for visibility, I'll explain more)

@albertzaharovits albertzaharovits mentioned this pull request Jun 1, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@albertzaharovits albertzaharovits albertzaharovits approved these changes

Assignees
No one assigned
Labels
:Data Management/Monitoring external-contributor Pull request authored by a developer outside the Elasticsearch team :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Data Management Meta label for data/management team Team:Security Meta label for security team v7.13.2 v7.14.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@chrisronline @elasticmachine @jakelandis @albertzaharovits @neptunian @jasonrhodes @tvernum @pugnascotia @elasticsearchmachine