-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Synthetics] Make core API key include
read_ilm
privilege in Statef…
…ul only (#178897) ## Summary Resolves elastic/synthetics-dev#332. ILM is not a concept in Serverless. As such, when the Synthetics plugin requests the `read_ilm` permission for its core API key during bootstrapping, it's asking for a priv that will eventually not exist on Serverless, and ES will give an explicit deny for the request, which will probably cause Synthetics to crash and not be functional. The fix is to detect the build type at startup time and enable the server plugin to determine whether it needs to include this privilege or not, based on whether Kibana is running in stateful or serverless mode. ## Testing You can easily test this in both modes. The steps are the same. _NOTE:_ when testing serverless, if you include the flag ` -E xpack.security.authz.has_privileges.strict_request_validation.enabled=true` this will simulate the manner in which Elasticsearch will explicit deny the API creation request when this is enabled in the MKI environment, and thus you should include it in your testing. 1. Start up Kibana in serverless | stateful mode. 2. As an admin, navigate to Synthetics and wait for the startup flow to display. 3. Navigate to Kibana management's API key page. You should see the Synthetics API key. Click it. 4. For stateful, you should see `read_ilm` included under the `synthetics_writer` object, shown below. For serverless, you should not see this priv in the list. ### Stateful API key perms <img width="1834" alt="image" src="https://github.com/elastic/kibana/assets/18429259/09048a7d-dcea-420e-bef5-87f86e447791"> ### Serverless API key perms <img width="1844" alt="image" src="https://github.com/elastic/kibana/assets/18429259/9a2a7f6b-6c6a-42f9-a47a-2ee157b2692b">
- Loading branch information
1 parent
7b2f0e2
commit 15fde36
Showing
8 changed files
with
82 additions
and
60 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters