-
Notifications
You must be signed in to change notification settings - Fork 24.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend fleet-server service account privileges #82600
Conversation
Allow elastic/fleet-server service account to additionally read, monitor, and refresh traces-apm.sampled-* data streams. These data streams do not contain any sensitive information. Fleet-server itself does not need to perform these actions, but it creates API Keys for APM Server, which does need to.
df6d012
to
21b0203
Compare
Pinging @elastic/es-security (Team:Security) |
Not really sure if this should be classified as a bug or not. It's expected that fleet-server should be able to issue API Keys to APM Server that allow it to read/monitor/manage |
@axw I remember someone mentioned that this feature would land in 8.1? Is this already shipped? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change LGTM. But I would like to also get @ph and @joshdover review on this before merging.
@mtojek @jsoriano FYI: The spec around what permissions would be allowed for package-spec get extended here.
I think that there is no limitation in the package-spec of the permissions that can be used 🤔
UPDATE: This is something requested, not done yet: elastic/package-spec#255 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
...ity/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java
Outdated
Show resolved
Hide resolved
…ecurity/authc/service/ElasticServiceAccounts.java Co-authored-by: Yang Wang <ywangd@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update docs and tests to match privileges change
...t/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java
Outdated
Show resolved
Hide resolved
@elasticmachine update branch |
Failure is genuine but not related to this PR. I raised #82840 |
@elasticmachine run elasticsearch-ci/part-2 |
In the interest of getting the issue in apm-server fixed, I'm going to merge this. @ph @joshdover if you have concerns, please do still leave a review and I'll follow up. |
Apologize, I meant to approve this PR before 👍 |
Allow elastic/fleet-server service account to additionally read, monitor, and refresh
traces-apm.sampled-*
data streams.These data streams do not contain any sensitive information. Fleet-server itself does not need to perform these actions, but it creates API Keys for APM Server, which does need to.
Fixes elastic/fleet-server#1048