Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fleet should restrict the permissions on the keys. #89713

Closed
ph opened this issue Jan 29, 2021 · 4 comments · Fixed by #90302
Closed

Fleet should restrict the permissions on the keys. #89713

ph opened this issue Jan 29, 2021 · 4 comments · Fixed by #90302
Assignees
@skh
Labels
bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team technical debt Improvement of the software architecture and operational architecture

Comments

@ph
Copy link
Contributor

ph commented Jan 29, 2021
edited
Loading

In the following code, we give more permission to the API that we would like to, we should restrict the permissions to the data stream and not the backing indices and we should only use minimal permissions.

kibana/x-pack/test/fleet_api_integration/apis/fleet_setup.ts

Lines 64 to 73 in 49d95f6

names: [
'logs-*',
'metrics-*',
'traces-*',
'.ds-logs-*',
'.ds-metrics-*',
'.ds-traces-*',
],
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
allow_restricted_indices: false, 

{
	"fleet-output": {
		"cluster": ["monitor"],
		"index": [{
			"names": [
				"logs-*",
				"metrics-*",
                                "traces-*",
			],
			"privileges": [
				"create_doc",
				"indices:admin/auto_create"
			]
		}]
	}
}
@ph ph added bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team labels Jan 29, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/ingest-management (Team:Ingest Management)

@jen-huang
Copy link
Contributor

Does this overlap/dupe with #89682?

@ruflin
Copy link
Contributor

ruflin commented Feb 1, 2021

@jen-huang Jep, I think it's a duplicate. We had a quick chat about it and seems both of us decided to take action on it :-D

@ph ph mentioned this issue Feb 1, 2021
Closed
@ph ph added the technical debt Improvement of the software architecture and operational architecture label Feb 1, 2021
@ph ph mentioned this issue Feb 1, 2021
Closed
@skh skh self-assigned this Feb 2, 2021
@ph
Copy link
Contributor Author

ph commented Feb 3, 2021

Just to make sure there is no confusion in the implementation, let's use the permission as defined in the description above. They will be better than what we have today and more locked down. When the new roles is done we can do lock it even more, elastic/elasticsearch#68414 Going to create an issue and ask them to ping us.

@ph ph mentioned this issue Feb 3, 2021
Open
@skh skh mentioned this issue Feb 4, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skh skh

Labels
bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team technical debt Improvement of the software architecture and operational architecture
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Fleet] Reduce permissions. skh/kibana
5 participants
@ph @skh @ruflin @jen-huang @elasticmachine