Grant additional privileges for endpoint transform indices to kibana_system#79619
Conversation
|
Pinging @elastic/es-security (Team:Security) |
…security/authz/store/ReservedRolesStore.java Co-authored-by: David Sánchez <davidsansol92@gmail.com>
|
@elasticmachine merge upstream |
dasansol92
left a comment
There was a problem hiding this comment.
LGTM! It fixes an error in kibana:
[2021-10-21T12:13:01.809+02:00][ERROR][plugins.fleet] Error: cannot rollover data stream {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/rollover] is unauthorized for user [kibana_system] with roles [kibana_system] on indices [.ds-metrics-endpoint.metadata-default-2021.10.21-000001,metrics-endpoint.metadata-default], this action is granted by the index privileges [manage_follow_index,manage,all]"}],"type":"security_exception","reason":"action [indices:admin/rollover] is unauthorized for user [kibana_system] with roles [kibana_system] on indices [.ds-metrics-endpoint.metadata-default-2021.10.21-000001,metrics-endpoint.metadata-default], this action is granted by the index privileges [manage_follow_index,manage,all]"},"status":403}
But I'm not sure if this regex is appropriate or if it will cause other issues. Perhaps we need something more restrictive? So I would like to be sure if this is the expected result before 👍 it
|
I've changed this PR to only exclude @dasansol92 could you test again with the most recent changes here? |
💔 Backport failed
You can use sqren/backport to manually backport by running |
…system (elastic#79619) Co-authored-by: David Sánchez <davidsansol92@gmail.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
It turns out that we do need these privileges during transform upgrades on the source indices for the Endpoint package's transform