Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Granting Kbn System read permissions to read from EP Data stream #74309

Merged
merged 6 commits into from
Jun 18, 2021
Merged

Granting Kbn System read permissions to read from EP Data stream #74309

merged 6 commits into from
Jun 18, 2021

Conversation

pjhampton
Copy link
Contributor

@pjhampton pjhampton commented Jun 18, 2021
edited
Loading

Related PR: elastic/kibana#102171

Granting the Kibana System kibana_system user read access to this data stream .ds-metrics-endpoint.policy-*. This will allow Kibana to lift out failures, analyze them and send them home if user configurations allow so.

@pjhampton pjhampton added >non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v8.0.0 Team:Security Meta label for security team v7.14.0 labels Jun 18, 2021
@pjhampton pjhampton self-assigned this Jun 18, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine added the external-contributor Pull request authored by a developer outside the Elasticsearch team label Jun 18, 2021
@pjhampton
Copy link
Contributor Author

@elasticmachine merge upstream

albertzaharovits
albertzaharovits approved these changes Jun 18, 2021
View reviewed changes
...core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java Outdated
.privileges("all").build(),
// Endpoint / Fleet policy responses. Kibana requires read access to send telemetry
RoleDescriptor.IndicesPrivileges.builder()
.indices(".ds-metrics-endpoint.policy-*")
Copy link
Contributor

@albertzaharovits albertzaharovits Jun 18, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. "Endpoint / Fleet policy responses" Do such responses contain user data (some type of metrics are OK)? We usually avoid granting Kibana access to user data. Please acknowledge this.

  2. When granting privileges we consider the backing index of a data stream a low level abstraction. Whenever defining roles it is enough to use the data stream name, eg:

Suggested change
.indices(".ds-metrics-endpoint.policy-*")
.indices("metrics-endpoint.policy-*")

This is true in user facing definitions; I'm fine with it like this since this is "hidden".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Endpoint / Fleet policy responses" Do such responses contain user data (some type of metrics are OK)? We usually avoid granting Kibana access to user data. Please acknowledge this.

That's correct - it's being accessed for telemetry usage. These are fleet policy responses that do not contain any PII or sensitive information. They are being accessed to check for failed policy configurations from the context of endpoint installs. This will enable us to improve onboarding/UX and find bugs on our end.

When granting privileges we consider the backing index of a data stream a low level abstraction. Whenever defining roles it is enough to use the data stream name, ...

Good to know. Thanks!

@pjhampton @albertzaharovits
Update x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/…
f8544fd 
…security/authz/store/ReservedRolesStore.java

Co-authored-by: Albert Zaharovits <albert.zaharovits@elastic.co>
@pjhampton
Copy link
Contributor Author

@elasticmachine merge upstream

@pjhampton pjhampton merged commit 6549810 into master Jun 18, 2021
@pjhampton pjhampton deleted the pjhampton/add-role-privs-kbn-user branch June 18, 2021 17:51
@pjhampton pjhampton mentioned this pull request Jun 21, 2021
Merged
@albertzaharovits albertzaharovits mentioned this pull request Jun 24, 2021
Merged
@pjhampton pjhampton mentioned this pull request Jun 24, 2021
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@albertzaharovits albertzaharovits albertzaharovits approved these changes

@donaherc donaherc Awaiting requested review from donaherc

Assignees

@pjhampton pjhampton

Labels
external-contributor Pull request authored by a developer outside the Elasticsearch team >non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v7.14.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pjhampton @elasticmachine @albertzaharovits @jakelandis @elasticsearchmachine