Skip to content

Commit

Permalink
[Fleet] Reduce permissions. (#90302) (#91084)
Browse files Browse the repository at this point in the history 
* Reduce permissions.

* Change permissions back.

* Reducing permissions on fleet_enroll role

- 'write', 'create_index' -> 'auto_configure', 'create_doc'

* Remove indices:admin/auto_create from privileges.
  • Loading branch information
@skh
skh authored Feb 11, 2021
1 parent 55ff85a commit a936fe6
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 53 deletions.
13 changes: 2 additions & 11 deletions x-pack/plugins/fleet/server/services/api_keys/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,17 +22,8 @@ export async function generateOutputApiKey(
cluster: ['monitor'],
index: [
{
names: [
'logs-*',
'metrics-*',
'traces-*',
'.ds-logs-*',
'.ds-metrics-*',
'.ds-traces-*',
'.logs-endpoint.diagnostic.collection-*',
'.ds-.logs-endpoint.diagnostic.collection-*',
],
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
privileges: ['auto_configure', 'create_doc'],
},
],
},
Expand Down
13 changes: 2 additions & 11 deletions x-pack/plugins/fleet/server/services/setup.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,17 +192,8 @@ async function putFleetRole(callCluster: CallESAsCurrentUser) {
cluster: ['monitor', 'manage_api_key'],
indices: [
{
names: [
'logs-*',
'metrics-*',
'traces-*',
'.ds-logs-*',
'.ds-metrics-*',
'.ds-traces-*',
'.logs-endpoint.diagnostic.collection-*',
'.ds-.logs-endpoint.diagnostic.collection-*',
],
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
privileges: ['auto_configure', 'create_doc'],
},
],
},
Expand Down
13 changes: 2 additions & 11 deletions x-pack/test/fleet_api_integration/apis/agents_setup.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,17 +60,8 @@ export default function (providerContext: FtrProviderContext) {
cluster: ['monitor', 'manage_api_key'],
indices: [
{
names: [
'logs-*',
'metrics-*',
'traces-*',
'.ds-logs-*',
'.ds-metrics-*',
'.ds-traces-*',
'.logs-endpoint.diagnostic.collection-*',
'.ds-.logs-endpoint.diagnostic.collection-*',
],
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
privileges: ['auto_configure', 'create_doc'],
allow_restricted_indices: false,
},
],
Expand Down
24 changes: 4 additions & 20 deletions x-pack/test/fleet_api_integration/apis/fleet_setup.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,15 +62,8 @@ export default function (providerContext: FtrProviderContext) {
cluster: ['monitor', 'manage_api_key'],
indices: [
{
names: [
'logs-*',
'metrics-*',
'traces-*',
'.ds-logs-*',
'.ds-metrics-*',
'.ds-traces-*',
],
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
names: ['logs-*', 'metrics-*', 'traces-*'],
privileges: ['create_doc', 'indices:admin/auto_create'],
allow_restricted_indices: false,
},
],
Expand Down Expand Up @@ -101,17 +94,8 @@ export default function (providerContext: FtrProviderContext) {
cluster: ['monitor', 'manage_api_key'],
indices: [
{
names: [
'logs-*',
'metrics-*',
'traces-*',
'.ds-logs-*',
'.ds-metrics-*',
'.ds-traces-*',
'.logs-endpoint.diagnostic.collection-*',
'.ds-.logs-endpoint.diagnostic.collection-*',
],
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
privileges: ['auto_configure', 'create_doc'],
allow_restricted_indices: false,
},
],
Expand Down

0 comments on commit a936fe6

Please sign in to comment.