-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[elastic-agent] managed apm-server doesn't know its elasticsearch cluster_uuid #145
Comments
Pinging @elastic/agent (Team:Agent) |
Have not tested this but this could be a permission issue that the API Key provided by Elastic Agent does not have permissions to fetch this information: https://github.com/elastic/beats/blob/master/libbeat/cmd/instance/beat.go#L897 Any chance you could try this out to see if this the issue? |
I checked the keys that exist in my local setup and they're all for user:admin, so I'm not sure if it's that. I was looking at the code you linked to, and it appears that this is called in the clients Also, would these permissions settings disallow viewing the elasticsearch root, but allow indexing documents? The API key is provided on each request to elasticsearch: https://github.com/elastic/beats/blob/4b1f69923b3f2abbbf1860295fe5dbff7db3d63c/libbeat/esleg/eslegclient/connection.go#L419-L421 I'm able to index documents with the managed apm-server, so I'm wondering if the issue is that the initial callback is never registered because when the managed apm-server starts up, it doesn't have an output? I'm not sure. |
If I remember correctly @blakerouse @michalpristas Could you comment on the above? I don't know the details around when exactly the output is loaded / pushed but this could be it. |
@simitt confirmed that |
@ruflin any concerns in adding this privilege to Elastic Agent and subprocesses? Where would we need to make the changes? This is critical for enabling metrics collection for the managed apm-server. |
Yes, I have concerns to add these. We recently had a similar conversation in the context of the license check and we do not want to give each Elastic Agent We should work with the Elasticsearch team to figure out a way on how to not require the full blown monitoring permissions to just get the cluster id. (@colings86 I tried to find the issue / conversation related to the license check but without success). There might be another workaround we can do. It is based on the assumption that fleet-server and apm-server always run in a trusted environment. The apm integration could these permissions to the permission list in the package. I think @axw added recently a feature to support this to the spec. |
Is it feasible for Fleet to inject the Elasticsearch cluster UUID into the agent policy?
The feature only covers index/data stream privileges currently. It would have to be extended to support cluster privileges. |
@joshdover @jen-huang can you help figure this out? It is the last bit left to fix for supporting apm stack monitoring under elastic agent. |
But changing it on the ES side sounds even better. I wonder what is the rationale behind requiring |
@joegallo pointed me to setting
|
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane) |
At this point in time, that is true. It is likely to always be true, but we don't provide any commitments about the mapping from Rest APIs to specific action names, so it's possible something could change without warning in the future. The difficulty is that this approach will expose an internal ES implementation detail (the name of the action that handles |
@scunningham Pulling you in here too as it is about increasing privileges. @jen-huang Regarding "as the user's configured ES host may not be one that Fleet/Kibana can reach". Why is this the case? I would assume either Fleet or Fleet-server need to have credentials to access the monitoring host to create the relevant API Keys, so it should be reachable. I understand that for historical reasons, we added the cluster uuid. But it seems odd that something monitoring itself outside Elasticsearch needs to add this as part of the monitoring doc and make a request to Elasticsearch first. And to work around this, we increase permission for all Elastic Agents which we shouldn't. What are the alternatives here?
Short term from my perspective the option would be to add it through the policy and figure out the long term plan in parallel. I assume |
@ruflin we're looking at implementing a similar solution to what was introduced by @axw, but extending it to include |
I was talking specially about Fleet/Kibana, not Fleet Server. Kibana makes no attempt to reach any output host, so it cannot inject the UUID in the policy directly.
@ruflin Any objections to proceeding with this proposal? |
I think that's enough. It means if we ever find ourselves needing to change something about that action (which isn't likely) we know we can put together a plan that would include making sure all the API keys were regenerated along with a compatibility period where the old action name continued to be supported. Assuming there's testing on the Observabilty side to ensure that these API keys keep working with new ES releases (which I'm sure there will be), I think it's safe enough for you to add |
Going forward with the package-spec proposal works for me. It means, the permissions are only given to Elastic Agent which run apm-server and in general I would argue it can be assumed apm-server run in a trusted environment. It also means at any time if we have a better solution all we need to do is update the apm package. Going with this short term solution should not hold us back to find a proper solution long term that the cluster uuid is not used anymore in this context or retrieved differently. @jasonrhodes This likely falls into your area? |
Stack monitoring on managed APM Server is working with the changes mentioned above. I believe this issue should now be scoped to the last bit that @ruflin was mentioning in #145 (comment); or close this issue and create a new one with the open part. |
Lets close this issue. @jasonrhodes Can you take the lead on opening a new issue around the usage of cluster_uuid ? |
When apm-server is managed by elastic-agent, it doesn't know its elasticsearch cluster_uuid, which is necessary for being properly displayed in the stack monitoring ui.
/state
endpoint on the apm-server:Compare that to a standalone apm-server:
The text was updated successfully, but these errors were encountered: