Skip to content

Grant additional privileges for endpoint transform indices to kibana_system#79619

Merged
joshdover merged 6 commits into
elastic:masterfrom
joshdover:add-rollover-priv-endpoint
Oct 27, 2021
Merged

Grant additional privileges for endpoint transform indices to kibana_system#79619
joshdover merged 6 commits into
elastic:masterfrom
joshdover:add-rollover-priv-endpoint

Conversation

@joshdover

@joshdover joshdover commented Oct 21, 2021

Copy link
Copy Markdown
Contributor

It turns out that we do need these privileges during transform upgrades on the source indices for the Endpoint package's transform

@joshdover joshdover added >enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v8.0.0 Team:Security Meta label for security team v7.16.0 labels Oct 21, 2021
@joshdover joshdover requested review from kevinlog and ywangd October 21, 2021 11:54
@elasticmachine

Copy link
Copy Markdown
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine added the external-contributor Pull request authored by a developer outside the Elasticsearch team label Oct 21, 2021
…security/authz/store/ReservedRolesStore.java

Co-authored-by: David Sánchez <davidsansol92@gmail.com>
@joshdover

Copy link
Copy Markdown
Contributor Author

@elasticmachine merge upstream

@dasansol92 dasansol92 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! It fixes an error in kibana:

[2021-10-21T12:13:01.809+02:00][ERROR][plugins.fleet] Error: cannot rollover data stream {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/rollover] is unauthorized for user [kibana_system] with roles [kibana_system] on indices [.ds-metrics-endpoint.metadata-default-2021.10.21-000001,metrics-endpoint.metadata-default], this action is granted by the index privileges [manage_follow_index,manage,all]"}],"type":"security_exception","reason":"action [indices:admin/rollover] is unauthorized for user [kibana_system] with roles [kibana_system] on indices [.ds-metrics-endpoint.metadata-default-2021.10.21-000001,metrics-endpoint.metadata-default], this action is granted by the index privileges [manage_follow_index,manage,all]"},"status":403}

But I'm not sure if this regex is appropriate or if it will cause other issues. Perhaps we need something more restrictive? So I would like to be sure if this is the expected result before 👍 it

@joshdover joshdover requested a review from pzl October 26, 2021 12:03
@joshdover

joshdover commented Oct 26, 2021

Copy link
Copy Markdown
Contributor Author

I've changed this PR to only exclude metrics-endpoint.metadata_current_default from the wildcard metrics-* pattern we use to assign privileges for all other Fleet package data streams. This ensures that we don't grant more privilege than needed for Endpoint's destination indices.

@dasansol92 could you test again with the most recent changes here?

@joshdover joshdover requested a review from dasansol92 October 26, 2021 12:04

@ywangd ywangd left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM pending CI pass

@elasticsearchmachine

Copy link
Copy Markdown
Collaborator

💔 Backport failed

Status Branch Result
8.0 The branch "8.0" is invalid or doesn't exist
7.16

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 79619

joshdover added a commit to joshdover/elasticsearch that referenced this pull request Oct 27, 2021
…system (elastic#79619)

Co-authored-by: David Sánchez <davidsansol92@gmail.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
elasticsearchmachine pushed a commit that referenced this pull request Oct 27, 2021
…system (#79619) (#79893)

Co-authored-by: David Sánchez <davidsansol92@gmail.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Co-authored-by: David Sánchez <davidsansol92@gmail.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

>enhancement external-contributor Pull request authored by a developer outside the Elasticsearch team :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v7.16.0 v8.0.0-beta1

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants