Skip to content

Extend kibana-system permissions to manage security entities #133968

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Sep 16, 2025
Merged

Extend kibana-system permissions to manage security entities #133968

merged 15 commits into from
Sep 16, 2025

Conversation

@kubasobon
Copy link
Member

As part of the entity store feature we need the Kibana system user to be able to access .entities.* indices and manage .entities.*.history* indices.

What is the entity store?

The entity store is a new security feature which extracts entities (hosts & users) from logs and metrics data.

The documents in the .entities.v1.latest.security* index each represent an entity extracted from event data, properties are added as we see them over time, for example for a host we store ip, mac, and OS information, for a user we store things like email, name, roles. Documents in .entities.v1.history.* indices represent historical snapshots of entities at certain points in time.

@kubasobon kubasobon self-assigned this Sep 2, 2025
@elasticsearchmachine
Copy link
Collaborator

@kubasobon please enable the option "Allow edits and access to secrets by maintainers" on your PR. For more information, see the documentation.

@elasticsearchmachine elasticsearchmachine added v9.2.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Sep 2, 2025
@kubasobon kubasobon added >enhancement Team:Security Meta label for security team v9.2.0 and removed external-contributor Pull request authored by a developer outside the Elasticsearch team v9.2.0 labels Sep 2, 2025
@kubasobon kubasobon marked this pull request as ready for review September 4, 2025 08:15
@kubasobon kubasobon requested a review from a team as a code owner September 4, 2025 08:15
@elasticsearchmachine elasticsearchmachine added needs:triage Requires assignment of a team area label and removed Team:Security Meta label for security team labels Sep 4, 2025
@kubasobon kubasobon added the Team:Cloud Security Meta label for Cloud Security team label Sep 4, 2025
@elasticsearchmachine elasticsearchmachine removed the needs:triage Requires assignment of a team area label label Sep 4, 2025
@kubasobon kubasobon added the :Core/Infra/Core Core issues without another label label Sep 4, 2025
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Sep 4, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@elasticsearchmachine
Copy link
Collaborator

Hi @kubasobon, I've created a changelog YAML for you.

@kubasobon kubasobon mentioned this pull request Sep 4, 2025
Merged
8 tasks
@kc13greiner kc13greiner self-requested a review September 4, 2025 12:03
@kc13greiner
Copy link
Contributor

Heya @kubasobon !

Thank you for the detailed description 🚀

2 questions:

  • Does the kibana_system user need read/write to all .entities.* or could it be limited to .entities.*security*?
  • Does the kibana_system users need the create/manage for .entities.*history*?

Just looking for clarification for these additional privileges

@kubasobon
Copy link
Member Author

Hi @kc13greiner, and thank you for taking a look here.

@kc13greiner
Copy link
Contributor

@kubasobon

We were looking to widen the permissions to .entities.*, but I can't see the harm in setting it to .entities.security. cc: @hop-dev, @romulets WDYT?

This would be better, if possible. Let me know what you and the team decide

@kubasobon
Copy link
Member Author

@kc13greiner I went back and checked, unfortunately some of our indices (already in use) include .entities.v1.latest.noop, so .entities.*.security* pattern would not work for us.

@jeramysoucy
Copy link

@kubasobon Just chiming in as @kc13greiner is on PTO

I went back and checked, unfortunately some of our indices (already in use) include .entities.v1.latest.noop, so .entities..security pattern would not work for us.

Would it be a pain to create patterns for the applicable security index patterns? e.g. .entities.v1.latest*, .entities.*.security*, etc.
Or am I misunderstanding the scope here, and is everything in .entities.* applicable?

@kubasobon
Copy link
Member Author

@jeramysoucy Thanks for stepping in! I have widened the scope from .entities.v1.latest.security* to .entities.* as this allows us to cover all the current Entity Store needs:

.entities.*history* is a bit of an outlier and needs extra permissions, since it's entirely managed by Task Manager tasks.

jeramysoucy
jeramysoucy approved these changes Sep 12, 2025
View reviewed changes
Copy link

@jeramysoucy jeramysoucy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kubasobon Thanks for the explanation. We're ok with this, given the needs you've stated above. Thanks for your patience!

@kubasobon kubasobon requested a review from a team as a code owner September 15, 2025 08:21
@kubasobon
Copy link
Member Author

@jeramysoucy & @kc13greiner Sorry to bother you again gentlemen, but it seems I missed adding the new index pattern to viewer and editor roles (it is meant to have exact same permissions as latest pattern). Also added kibana-system permissions for reset index, which I mentioned in the list, but forgot to push.

@kubasobon
Copy link
Member Author

kubasobon commented Sep 16, 2025
edited
Loading

Extended dot-index exemption for .entities indices based on #116266

@elasticsearchmachine elasticsearchmachine added the serverless-linked Added by automation, don't add manually label Sep 16, 2025
@kubasobon kubasobon removed the serverless-linked Added by automation, don't add manually label Sep 16, 2025
@kubasobon kubasobon merged commit bdbc642 into main Sep 16, 2025
35 of 36 checks passed
@kubasobon kubasobon deleted the entity-store-history-permissions branch September 16, 2025 15:50
mridula-s109 pushed a commit to mridula-s109/elasticsearch that referenced this pull request Sep 17, 2025
@kubasobon @mridula-s109
Extend kibana-system permissions to manage security entities (elastic…
6db0e84 
…#133968)

* extend kibana-system permissions for .entities.* indices

* trigger CI

* Update docs/changelog/133968.yaml

* update viewer/editor & add reset management

* fix typos

* [CI] Auto commit changes from spotless

* extend validation exemption on .entities indices

* [CI] Update transport version definitions

---------

Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
gmjehovich pushed a commit to gmjehovich/elasticsearch that referenced this pull request Sep 18, 2025
@kubasobon @gmjehovich
Extend kibana-system permissions to manage security entities (elastic…
fc5390a 
…#133968)

* extend kibana-system permissions for .entities.* indices

* trigger CI

* Update docs/changelog/133968.yaml

* update viewer/editor & add reset management

* fix typos

* [CI] Auto commit changes from spotless

* extend validation exemption on .entities indices

* [CI] Update transport version definitions

---------

Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
@shainaraskas shainaraskas mentioned this pull request Oct 10, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@romulets romulets romulets approved these changes

@jeramysoucy jeramysoucy jeramysoucy approved these changes

@hop-dev hop-dev Awaiting requested review from hop-dev

@kc13greiner kc13greiner Awaiting requested review from kc13greiner

Assignees

@kubasobon kubasobon

Labels

:Core/Infra/Core Core issues without another label >enhancement Team:Cloud Security Meta label for Cloud Security team Team:Core/Infra Meta label for core/infra team v9.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kubasobon @elasticsearchmachine @kc13greiner @jeramysoucy @romulets