Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom role not created when using relevant definition in Secret resource #4738

Closed
pantelis-karamolegkos opened this issue Aug 5, 2021 · 3 comments
Closed

Custom role not created when using relevant definition in Secret resource #4738

pantelis-karamolegkos opened this issue Aug 5, 2021 · 3 comments
Labels
>non-issue

Comments

@pantelis-karamolegkos
Copy link

Bug Report

What did you do?

Tried to create a custom role using a dedicated Secret resource as descibed here.

Here is the Secret resource:

▶ k get secret roles-secret -o yaml
apiVersion: v1
data:
  roles.yml: Y2xpY2tfYWRtaW5zOgogIHJ1bl9hczogWyAnY2xpY2tzX3dhdGNoZXJfMScgXQogIGNsdXN0ZXI6IFsgJ21vbml0b3InIF0KICBpbmRpY2VzOgogIC0gbmFtZXM6IFsgJ2V2ZW50cy0qJyBdCiAgICBwcml2aWxlZ2VzOiBbICdyZWFkJyBdCiAgICBmaWVsZF9zZWN1cml0eToKICAgICAgZ3JhbnQ6IFsnY2F0ZWdvcnknLCAnQHRpbWVzdGFtcCcsICdtZXNzYWdlJyBdCiAgICBxdWVyeTogJ3sibWF0Y2giOiB7ImNhdGVnb3J5IjogImNsaWNrIn19Jw==
kind: Secret
metadata:
  annotations:
    helm.fluxcd.io/antecedent: elastic:helmrelease/elastic-stack
  creationTimestamp: "2021-08-05T18:06:06Z"
  name: roles-secret
  namespace: elastic
  resourceVersion: "124906226"
  uid: 6411d36e-ae41-415b-97da-e220b9eb5ede
type: Opaque

The decoded value is:

click_admins:
  run_as: [ 'clicks_watcher_1' ]
  cluster: [ 'monitor' ]
  indices:
  - names: [ 'events-*' ]
    privileges: [ 'read' ]
    field_security:
      grant: ['category', '@timestamp', 'message' ]
    query: '{"match": {"category": "click"}}'

And from the definition of Elasticsearch resource:

  spec:
    auth:
      roles:
      - secretName: roles-secret

What did you expect to see?

A custom role click_admins in the kibana ui in the Stack Management/Roles section.

What did you see instead? Under which circumstances?

The click_admins role was not there (only the reserved / predefined roles were there)

Environment

  • ECK version:

    1.6.0

  • Kubernetes information:

    insert any information about your Kubernetes environment that could help us:

    • Cloud: GKE
    • Kubernetes distribution: GKE

    for each of them please give us the version you are using

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.0", GitCommit:"cb303e613a121a29364f75cc67d3d580833a7479", GitTreeState:"clean", BuildDate:"2021-04-08T16:31:21Z", GoVersion:"go1.16.1", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.8-gke.900", GitCommit:"28ab8501be88ea42e897ca8514d7cd0b436253d9", GitTreeState:"clean", BuildDate:"2021-06-30T09:23:36Z", GoVersion:"go1.15.13b5", Compiler:"gc", Platform:"linux/amd64"}
  • Resource definition:

Posted above

  • Logs:

No relevant error logs in operator.
@botelastic botelastic bot added the triage label Aug 5, 2021
@MHenn1g
Copy link

MHenn1g commented Aug 10, 2021

Hi @pantelis-karamolegkos,
as I understand it, this behaviour is to be expected, since this is the file based role management, as described in more detail in the documentation here: https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-management-file
Basically these roles are not handled by the API, but their definition is only handled inside a file handled locally in the POD.
You should be able to find it like this:

kubectl exec -it <POD> -- cat config/roles.yml|grep click_admins -A 10
  click_admins:
  cluster:
  - monitor
  indices:
  - field_security:
      grant:
      - category
      - '@timestamp'
      - message
    names:
    - events-*

@botelastic botelastic bot removed the triage label Aug 11, 2021
@thbkrkr
Copy link
Contributor

thbkrkr commented Aug 11, 2021

Indeed, this behaviour is to be expected. As you can read at https://www.elastic.co/guide/en/elasticsearch/reference/current/file-realm.html#file-realm:

You should also be aware that you cannot add or manage users in the file realm via the user APIs and you cannot add or manage them in Kibana on the Management / Security / Users page

Marco's proposal to check the existence of the role is good. Here is another way to check that your role has been taken into account by ECK:

> kubectl get secrets <esName>-es-xpack-file-realm -o json | jq '.data["roles.yml"] | @base64d' -r | grep click_admins -A 10
click_admins:
  cluster:
  - monitor
  indices:
  - field_security:
      grant:
      - category
      - '@timestamp'
      - message
    names:
    - events-*

@thbkrkr thbkrkr closed this as completed Aug 11, 2021
@pantelis-karamolegkos
Copy link
Author

Thanks. Assuming therefore I have indeed managed to create some roles using the file realm, can I later assign users to these roles via the API?

Or should a role created using file realm be assigned ONLY to users also created via file realm?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>non-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thbkrkr @MHenn1g @pantelis-karamolegkos