[Meta] Use kibana_system to write to .fleet-* indices
#120090
Comments
joshdover
added
Meta
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@ashokaditya I'd like to open a PR for 8.0 that switches this ES call over to always use the internal user: This will help prevent issues where the "Isolate host" button would when Elasticsearch is upgraded to 8.1 (the version where superuser will not have write access to this index) but Kibana hasn't yet been upgraded. Since we'll be switching over to use the internal user, we need to ensure the end-user making the request to Kibana should have the ability to create these actions. What authz check should be added to verify this user should have access to this action or can I rely on the existing checks? |
@joshdover I believe you can rely on the existing checks. If the user is a @paul-tavares @ashokaditya - let me know if that makes sense |
|
Yes, this makes sense to me. A user should have full access to fleet in order to create actions - at least from our Endpoint perspective. @joshdover you should also get some feedback from the OSQuery team - I'm pretty sure they also use this index. cc/ @pzl since he did the initial implementation of isolation support |
|
Thanks, @paul-tavares. I took a look at the OSQuery code and they're using internal user for all writes so I don't think there's any issue there. |
We are considering not allowing superuser to write Fleet's
.fleet-*system indices in a future 8.x release. Only the kibana_system (internal user) will be able to write to these indices. This requires that we update all places where we are writing to these indices to use kibana_system and add any necessary, explicit authz checks. These authz checks should be checking against thecontext.fleet.authz.fleet.allproperty added in #119199..fleet-enrollment-api-keys.fleet-agents.fleet-policiesand.fleet-policies-leader.fleet-serversresolver_generator_script:kibana/x-pack/plugins/security_solution/common/endpoint/data_loaders/index_fleet_server.ts
Line 33 in f1aae77
.fleet-actionsand.fleet-actions-resultsresolver_generator_script:kibana/x-pack/plugins/security_solution/common/endpoint/data_loaders/index_fleet_actions.ts
Line 140 in f1aae77
kibana/x-pack/plugins/security_solution/common/endpoint/data_loaders/index_fleet_actions.ts
Line 80 in f1aae77
kibana/x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
Line 219 in f1aae77
.fleet-artifactskibana/x-pack/plugins/fleet/server/plugin.ts
Line 383 in f1aae77
@kevinlog I believe the only product-facing impact remaining is the
.fleet-actionswrite being done in the isolation endpoint. It seems thisresolver_generator_scriptis a dev tool that we could fix out of band. Would you agree?The text was updated successfully, but these errors were encountered: