Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Observability predefined roles #90806

Closed
4 tasks done
sorenlouv opened this issue Feb 9, 2021 · 18 comments
Closed
4 tasks done

Observability predefined roles #90806

sorenlouv opened this issue Feb 9, 2021 · 18 comments
Labels
Team:APM All issues that need APM UI Team support Team:Infra Monitoring UI - DEPRECATED DEPRECATED - Label for the Infra Monitoring UI team. Use Team:obs-ux-infra_services Team:Observability Team label for Observability Team (for things that are handled across all of observability) Team:Uptime - DEPRECATED Synthetics & RUM sub-team of Application Observability v7.13.0

Comments

@sorenlouv
Copy link
Member

sorenlouv commented Feb 9, 2021
edited by shahzad31
Loading

This is part of the effort of providing better default roles for end users.

Progress

Following solutions have added privileges:

  • APM
  • Logs
  • Metrics
  • Uptime

Read only user

{
  "elasticsearch": {
    "cluster": [],
    "indices": [
      // apm
      { "names": ["apm-*", "logs-apm*", "metrics-apm*", "traces-apm*", "observability-annotations"], "privileges": ["read", "view_index_metadata"] },
      // logs
      { "names": ["logs-*", "filebeat-*", "kibana_sample_data_logs*"], "privileges": ["read", "view_index_metadata"] },
      // metrics
	  { "names": ["metrics-*", "metricbeat-*"], "privileges": ["read", "view_index_metadata"] },
	  // uptime
      { "names": ["heartbeat-*", "synthetics-*"], "privileges": ["read", "view_index_metadata"] },
    ]
  },
  "kibana": [
    {
      "base": [],
      "feature": {
        "apm": ["read"],
        "logs": ["read"],
	    "infrastructure": ["read"],
        "ml": ["read"],
        "uptime": ["read"]
      },
      "spaces": ["*"]
    }
  ]
}

Power user

{
  "elasticsearch": {
    "cluster": [],
    "indices": [
      // apm
      { "names": ["apm-*", "logs-apm*", "metrics-apm*", "traces-apm*"], "privileges": ["read", "view_index_metadata"] },
      { "names": ["observability-annotations"], "privileges": ["read", "write", "view_index_metadata"] },
      // logs
      { "names": ["logs-*", "filebeat-*", "kibana_sample_data_logs*"], "privileges": ["read", "view_index_metadata"] },
      // metrics
      { "names": ["metrics-*", "metricbeat-*"], "privileges": ["read", "view_index_metadata"] },
	  // uptime
      { "names": ["heartbeat-*", "synthetics-*"], "privileges": ["read", "view_index_metadata"] },
    ]
  },
  "kibana": [
    {
      "base": [],
      "feature": {
        "apm": ["all"],
        "logs": ["all"],
        "infrastructure": ["all"],
        "ml": ["all"],
        "uptime": ["all"]
      },
      "spaces": ["*"]
    }
  ]
}

Superuser

Default superuser: Access to everything
@sorenlouv sorenlouv added Team:APM All issues that need APM UI Team support Team:Uptime - DEPRECATED Synthetics & RUM sub-team of Application Observability Team:Infra Monitoring UI - DEPRECATED DEPRECATED - Label for the Infra Monitoring UI team. Use Team:obs-ux-infra_services labels Feb 9, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/uptime (Team:uptime)

@elasticmachine
Copy link
Contributor

Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui)

@elasticmachine
Copy link
Contributor

Pinging @elastic/apm-ui (Team:apm)

@sorenlouv sorenlouv changed the title [APM] Observability users for cloud [APM] Observability predefined roles Feb 9, 2021
@sorenlouv sorenlouv added the Team:Observability Team label for Observability Team (for things that are handled across all of observability) label Feb 9, 2021
@sorenlouv sorenlouv changed the title [APM] Observability predefined roles Observability predefined roles Feb 15, 2021
@Kerry350
Copy link
Contributor

Kerry350 commented Feb 16, 2021
edited by sorenlouv
Loading

Logs

Read only user

Can be tested by hitting curl -X PUT "<KIBANA_URL>/api/security/role/logs_read_only" --user user:password -H 'Content-Type: application/json' -H 'kbn-xsrf: some-string with:

{
  "elasticsearch":{
     "cluster":[],
     "indices":[
        {
           "names": ["logs-*", "filebeat-*", "kibana_sample_data_logs*"],
           "privileges":["read", "view_index_metadata"]
        }
    ]
  },
  "kibana":[
     {
        "base": [],
        "feature": {
          "logs": ["read"],
          "ml": ["read"]
        },
        "spaces": ["*"]
     }
  ]
}

(This user will not be able to create alerts, create / recreate ML jobs, or edit the logs source configuration).

Power user

Can be tested by hitting curl -X PUT "<KIBANA_URL>/api/security/role/logs_power_role" --user user:password -H 'Content-Type: application/json' -H 'kbn-xsrf: some-string with:

{
  "elasticsearch":{
     "cluster":[],
     "indices":[
        {
           "names": ["logs-*", "filebeat-*", "kibana_sample_data_logs*"],
           "privileges":["read", "view_index_metadata"]
        }
    ]
  },
  "kibana":[
     {
        "base": [],
        "feature": {
          "logs": ["all"],
          "ml": ["all"]
        },
        "spaces": ["*"]
     }
  ]
}

@sorenlouv
Copy link
Member Author

sorenlouv commented Feb 17, 2021
edited
Loading

Thanks @Kerry350 . WDYT about updating the issue description with the logs permission to keep it all in a single declaration?

(just leave your comment. It's probably good to have both a combined and separate)

@sorenlouv
Copy link
Member Author

sorenlouv commented Feb 17, 2021
edited
Loading

APM

Read only user

{
  "elasticsearch": {
    "cluster": [],
    "indices": [
      { "names": ["apm-*"], "privileges": ["read", "view_index_metadata"] },
      { "names": ["logs-apm*"], "privileges": ["read", "view_index_metadata"] }, 
      { "names": ["metrics-apm*"], "privileges": ["read", "view_index_metadata"] }, 
      { "names": ["traces-apm*"], "privileges": ["read", "view_index_metadata"] }, 
    ]
  },
  "kibana": [
    {
      "base": [],
      "feature": {
        "apm": ["read"],
        "ml": ["read"]
      },
      "spaces": ["*"]
    }
  ]
}

Power user

{
  "elasticsearch": {
    "cluster": [],
    "indices": [
      { "names": ["apm-*"], "privileges": ["read", "view_index_metadata"] }
    ]
  },
  "kibana": [
    {
      "base": [],
      "feature": {
        "apm": ["all"],
        "ml": ["all"]
      },
      "spaces": ["*"]
    }
  ]
}

@Kerry350
Copy link
Contributor

@sqren Sure, I didn't want to assume and ruin your description 😅 I've merged Logs in with APM in the main declaration.

@Zacqary
Copy link
Contributor

Zacqary commented Feb 17, 2021

Updated issue description with Metrics permissions.

@jasonrhodes
Copy link
Member

Thanks @Zacqary ! Can you add just the Metrics definition as a comment here, also? That looks like a good convention.

@Zacqary
Copy link
Contributor

Zacqary commented Feb 17, 2021
edited
Loading

Metrics

Read only

To test: hit curl -X PUT "<KIBANA_URL>/api/security/role/metrics_read_only" --user user:password -H 'Content-Type: application/json' -H 'kbn-xsrf: some-string with:

{
  "elasticsearch":{
     "cluster": [],
     "indices": [
        {
           "names": ["metrics-*", "metricbeat-*"],
           "privileges": ["read", "view_index_metadata"]
        }
    ]
  },
  "kibana": [
     {
        "base": [],
        "feature": {
          "infrastructure": ["read"],
          "ml": ["read"]
        },
        "spaces": ["*"]
     }
  ]
}

Power user

To test: hit curl -X PUT "<KIBANA_URL>/api/security/role/metrics_power" --user user:password -H 'Content-Type: application/json' -H 'kbn-xsrf: some-string with:

{
  "elasticsearch":{
     "cluster": [],
     "indices": [
        {
           "names": ["metrics-*", "metricbeat-*"],
           "privileges": ["read", "view_index_metadata"]
        }
    ]
  },
  "kibana": [
     {
        "base": [],
        "feature": {
          "infrastructure": ["all"],
          "ml": ["all"]
        },
        "spaces": ["*"]
     }
  ]
}

@bytebilly
Copy link
Contributor

Thanks, looks great!
I see that you are using Kibana JSON for role definition, that is slightly different from Elasticsearch JSON.
Is there a strong reason for that? Since role definitions will be stored in Elasticsearch, we can turn into that format at some point.

@Kerry350
Copy link
Contributor

@bytebilly I'd utilised the same format as APM, so I'll defer to @sqren on whether there was a technical reason.

Would your preference be adherence to this API?

@bytebilly
Copy link
Contributor

@Kerry350 yes that would be my preferred one, since roles are not Kibana related and will be "translated" into the Elasticsearch DSL anyway.
We are still discussing technical details, but it could be that we'll store predefined roles as Elasticsearch JSON so it is easier to modify/contribute directly with PRs to the Elasticsearch repo.

@shahzad31
Copy link
Contributor

@sqren for the apm user we also want to add user-experince kibana feature i think.

@legrego
Copy link
Member

legrego commented Feb 22, 2021

@sqren for the apm user we also want to add user-experince kibana feature i think.

@shahzad31 isn't the User Experience app bundled inside the existing apm feature?

@sorenlouv
Copy link
Member Author

sorenlouv commented Feb 23, 2021
edited
Loading

Is there a strong reason for that?

No preference from my side. From conversations with you and the security team (who already did this) it was my impression this was the preferred format but I might have misunderstood something.
Btw. This is the format used by the Security UI in Kibana which I used as a reference point.

@sorenlouv
Copy link
Member Author

@shahzad31 isn't the User Experience app bundled inside the existing apm feature?

Yes, the permissions for UX app are already handled via the apm permissions.

@shahzad31
Copy link
Contributor

shahzad31 commented Mar 1, 2021
edited
Loading

UPTIME

Read only user

{
  "elasticsearch": {
    "cluster": [],
    "indices": [
      { "names": ["heartbeat-*"], "privileges": ["read", "view_index_metadata"] },
      { "names": ["synthetics-*"], "privileges": ["read", "view_index_metadata"] }, 
    ]
  },
  "kibana": [
    {
      "base": [],
      "feature": {
        "uptime": ["read"],
      },
      "spaces": ["*"]
    }
  ]
}

Power user

{
  "elasticsearch": {
    "cluster": [],
    "indices": [
      { "names": ["heartbeat-*"], "privileges": ["read", "view_index_metadata"] },
      { "names": ["synthetics-*"], "privileges": ["read", "view_index_metadata"] },
    ]
  },
  "kibana": [
    {
      "base": [],
      "feature": {
        "uptime": ["all"],
      },
      "spaces": ["*"]
    }
  ]
}

@sorenlouv sorenlouv mentioned this issue Apr 6, 2021
Merged
@sorenlouv sorenlouv mentioned this issue Aug 9, 2021
Merged
@sorenlouv sorenlouv mentioned this issue Sep 2, 2021
Merged
@mgiota mgiota mentioned this issue Nov 4, 2021
Closed
@mgiota mgiota mentioned this issue Mar 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:APM All issues that need APM UI Team support Team:Infra Monitoring UI - DEPRECATED DEPRECATED - Label for the Infra Monitoring UI team. Use Team:obs-ux-infra_services Team:Observability Team label for Observability Team (for things that are handled across all of observability) Team:Uptime - DEPRECATED Synthetics & RUM sub-team of Application Observability v7.13.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@jasonrhodes @sorenlouv @Kerry350 @Zacqary @legrego @shahzad31 @elasticmachine @bytebilly @paulb-elastic