-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Service tokens ignore privileges additionally defined by packages #1048
Comments
I'm not sure if this is related, but I've noticed that the
|
@simitt do you have any logs on fleet-server side while trying to create the token? |
@simitt The permissions show up when using username/password, but not with the service token? If that is the case the Fleet Server calls the same API with the same contents no matter basic auth or service token. This makes me think its an issue on the Elasticsearch side. As @jlind23 ask do you have any Elasticsearch logs for this, it might show errors about not being able to assign those permissions. |
There is a single log record from Elasticsearch in our test setup:
The error message doesn't explicitly say so, but I'm pretty sure this is due to lack of API Keys have at most the privileges of the authenticated user. When fleet-server is run with the root user (as we were doing with user/pass auth in our tests previously), that's everything, so fleet-server would produce API Keys with the additional privileges we request. The new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices(
"logs-*",
"metrics-*",
"traces-*",
"synthetics-*",
".logs-endpoint.diagnostic.collection-*",
".logs-endpoint.action.responses-*"
)
.privileges("write", "create_index", "auto_configure")
.build(), Thus, the maximum set of index privileges API Keys issues by fleet-server is @ruflin this undoes elastic/package-spec#203. How would you suggest we proceed? |
@axw It may be a dumb question but couldn't we add the read right to the elastic/fleet-server service account? |
@jlind23 we could, I'm just not sure if this was intended. If not, then yes we could expand the privileges; if it is intentionally/necessarily limited, we need to go back to the drawing board on elastic/package-spec#203. |
So you can specify privileges in elastic package only if those privileges are already part of fleet-server ones right? |
Right. The ones in the elastic/fleet-server service account define the maximum set of privileges an agent's API Key can be assigned.
Yes, I think so. If not he can redirect :) |
Skips the `TestTailSampling` systemtest until elastic/fleet-server#1048 is resolved. Signed-off-by: Marc Lopez Rubio <marc5.12@outlook.com>
Skips the `TestTailSampling` systemtest until elastic/fleet-server#1048 is resolved. Signed-off-by: Marc Lopez Rubio <marc5.12@outlook.com>
Skips the `TestTailSampling` systemtest until elastic/fleet-server#1048 is resolved. Signed-off-by: Marc Lopez Rubio <marc5.12@outlook.com> (cherry picked from commit 85b95c3)
Skips the `TestTailSampling` systemtest until elastic/fleet-server#1048 is resolved. Signed-off-by: Marc Lopez Rubio <marc5.12@outlook.com> (cherry picked from commit 85b95c3)
As mentioned above, the current assumption is that fleet-server service account has all the permissions needed to hand out to Elastic Agents for ingesting data as it is creating the API keys. Unfortunately in the context of elastic/package-spec#203 we missed this very important detail :-( I wonder why this only showed up now with the removal of username / password as I was hoping we already used service tokens before in our test suites. We likely need a short term fix which is adding the very specific permissions to the fleet-server service account for apm-server to work properly. In parallel we should go back to the drawing board. How broad should the permissions be that the fleet-server service account has? How generic can the permission definition be in a package? Is there another way (through Fleet?) that additional permissions can be passed down? @axw Short term, what are the exact additional permissions we need? |
apmpackage specifies following additional privileges in the package:
Test revealed that the |
I assume the read permissions on this data stream are needed for multiple apm-servers to sync up on sampled traces? What is the monitor permission used for? My currently proposed path forward:
|
We have already evaluated this. The answer is no, not without:
Can we add it for just the one data stream that APM Server needs it? Seems a little bit dirty to have that defined in Elasticsearch, but I think it would be ideal to limit the impact.
👍 I wonder if apm-server should get its own service account. But let's take this somewhere else.
👍 I forget if we're doing this at the moment, but I'm pretty sure we are validating them in Kibana at least. |
I think yes. Could this index contain any confidential info or is purely tracking? |
No. It contains:
|
Elasticsearch PR opened to add privileges for that one data stream pattern: elastic/elasticsearch#82600 |
@simitt I've retargeted the issues and PR to only 8.1.0, to minimise risk. |
Removing the
username/password
and enforcing usage of service tokens (#1006) revealed a bug related to the privileges that the resulting API Keys have. It seems that any additionally defined privileges of the packages are just ignored.Description of the Problem
apmpackage
specifies additional privileges for thetraces-apm.sampled-default
data stream:state/data/state.yml
lists the privileges for the data streams, as configured in the apmpackage:read
privileges with a concrete request confirms that they are indeed missing:The text was updated successfully, but these errors were encountered: