Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Granting kibana_system reserved role access to "all" privileges to .internal.alerts* index #76624

Merged
merged 1 commit into from
Aug 18, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,9 @@
import java.util.stream.Collectors;

public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>> {
public static final String LEGACY_ALERTS_INDEX = ".siem-signals*";
public static final String ALERTS_INDEX = ".alerts*";
public static final String ALERTS_LEGACY_INDEX = ".siem-signals*";
public static final String ALERTS_BACKING_INDEX = ".internal.alerts*";
public static final String ALERTS_INDEX_ALIAS = ".alerts*";

public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor("superuser",
new String[] { "all" },
Expand Down Expand Up @@ -404,15 +405,20 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) {
RoleDescriptor.IndicesPrivileges.builder()
.indices(".fleet*")
.privileges("all").build(),
// Legacy "Alerts as data" index. Kibana user will create this index.
// Kibana user will read / write to these indices
// Legacy "Alerts as data" used in Security Solution.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: "Alerts as data" indices used in Security Solution.

// Kibana user creates these indices; reads / writes to them.
RoleDescriptor.IndicesPrivileges.builder()
.indices(ReservedRolesStore.LEGACY_ALERTS_INDEX)
.indices(ReservedRolesStore.ALERTS_LEGACY_INDEX)
.privileges("all").build(),
// "Alerts as data" index. Kibana user will create this index.
// Kibana user will read / write to these indices
// "Alerts as data" internal backing indices used in Security Solution, Observability, etc.
// Kibana system user creates these indices; reads / writes to them via the aliases (see below).
RoleDescriptor.IndicesPrivileges.builder()
.indices(ReservedRolesStore.ALERTS_INDEX)
.indices(ReservedRolesStore.ALERTS_BACKING_INDEX)
.privileges("all").build(),
// "Alerts as data" public index aliases used in Security Solution, Observability, etc.
// Kibana system user uses them to read / write alerts.
RoleDescriptor.IndicesPrivileges.builder()
.indices(ReservedRolesStore.ALERTS_INDEX_ALIAS)
.privileges("all").build(),
// Endpoint / Fleet policy responses. Kibana requires read access to send telemetry
RoleDescriptor.IndicesPrivileges.builder()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -400,8 +400,9 @@ public void testKibanaSystemRole() {
".reporting-" + randomAlphaOfLength(randomIntBetween(0, 13)),
".apm-agent-configuration",
".apm-custom-link",
ReservedRolesStore.LEGACY_ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13))
ReservedRolesStore.ALERTS_LEGACY_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13))
).forEach((index) -> {
logger.info("index name [{}]", index);
assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(true));
Expand Down