Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Monitoring] R&D security changes necessary to migrate to reading from MB indices #90660

Closed
chrisronline opened this issue Feb 8, 2021 · 4 comments
Closed

[Monitoring] R&D security changes necessary to migrate to reading from MB indices #90660

chrisronline opened this issue Feb 8, 2021 · 4 comments
Labels
Team:Monitoring Stack Monitoring team

Comments

@chrisronline
Copy link
Contributor

chrisronline commented Feb 8, 2021
edited
Loading

We need to consider what changes we need to make to allow users to read from metricbeat-* from the Stack Monitoring UI. For example, we need to update the reserved role to allow reading from metricbeat-*, or ensure leaving this as-is will not be a problem for users.

Or maybe we can pursue moving away from this resolved role, ala #51296
@chrisronline chrisronline added the Team:Monitoring Stack Monitoring team label Feb 8, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/stack-monitoring (Team:Monitoring)

@chrisronline chrisronline mentioned this issue Feb 8, 2021
Open
14 tasks
@igoristic
Copy link
Contributor

@chrisronline One thing I don't understand is that we're explicitly creating roles/polices for metricbeat-* indices, but we also have a way to change it via: monitoring.ui.metricbeat.index. Do we need a way to detect that and add the same index privileges that metricbeat-* has to the remote_monitoring_agent role?

Also, I was able to fix "monitoring remote_monitoring_user failed to create alias" issue by using the following role:

POST _xpack/security/role/remote_monitoring_user
{
  "cluster" : [
    "manage_ilm",
    "manage_index_templates",
    "manage_ingest_pipelines",
    "monitor",
    "cluster:admin/ilm/get",
    "cluster:admin/ilm/put",
    "cluster:monitor/xpack/watcher/watch/get",
    "cluster:admin/xpack/watcher/watch/put",
    "cluster:admin/xpack/watcher/watch/delete"
  ],
  "indices" : [
    {
      "names" : [
        ".monitoring-*"
      ],
      "privileges" : [
        "all"
      ],
      "allow_restricted_indices" : false
    },
    {
      "names" : [
        "metricbeat-*"
      ],
      "privileges" : [
        "index",
        "create_index",
        "view_index_metadata",
        "manage",
        "write",
        "manage_ilm",
        "read_cross_cluster"
      ],
      "allow_restricted_indices" : false
    }
  ]
}

This is something that will probably need to be implemented on the ES side similar to how we did it for: elastic/elasticsearch#63750

@chrisronline
Copy link
Contributor Author

I'd wager a guess that we'd need to follow the same practices the @elastic/logs-metrics-ui team does for this. Perhaps they handle the security of the custom index at the Kibana security level?

@chrisronline chrisronline mentioned this issue Apr 2, 2021
Merged
@simianhacker
Copy link
Member

Closed by #71233

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Monitoring Stack Monitoring team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@simianhacker @chrisronline @elasticmachine @igoristic