Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove duplicate cluster privilege for pipeline management #55640

Open
jaymode opened this issue Apr 23, 2020 · 2 comments
Open

Remove duplicate cluster privilege for pipeline management #55640

jaymode opened this issue Apr 23, 2020 · 2 comments
Labels
:Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team

Comments

@jaymode
Copy link
Member

jaymode commented Apr 23, 2020

During the development of version 5.0, two cluster level privileges were added for the management of pipelines manage_pipeline and manage_ingest_pipelines. manage_ingest_pipelines was added as part of monitoring during an attempt to future proof monitoring documents with the use of an ingest pipeline that was empty. manage_pipeline was added as part of a role for the add data feature in Kibana. The manage_pipeline name was the name chosen by the security team at that time and the manage_ingest_pipelines name was not reviewed by the security team.

My opinion is that the manage_ingest_pipelines name should be deprecated and removed in favor of the manage_pipeline name based on the history.
@jaymode jaymode added :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC team-discuss labels Apr 23, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authorization)

@jloleysens jloleysens mentioned this issue Apr 23, 2020
Merged
@rjernst rjernst added the Team:Security Meta label for security team label May 4, 2020
@jkakavas
Copy link
Member

jkakavas commented May 7, 2020

We discussed this in our team meeting today. We decided that it makes sense to keep one of the two privileges.

Short term actions:

  • Remove manage_ingest_pipelines from the documentation
  • Remove manage_ingest_pipelines from the response of Get builtin privileges

Tracked here

Mid term actions :

  • Deprecate and remove the duplicate privilege. We believe that there should be a generic way to handle this kind of deprecation and we currently do not have one. This is not the first time such a need comes up and it won't be the last so I will ping @gwbrown discuss a possible plan.

@bmorelli25 bmorelli25 mentioned this issue May 11, 2020
Closed
@ywangd ywangd mentioned this issue Dec 16, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rjernst @tvernum @jaymode @jkakavas @elasticmachine