-
Notifications
You must be signed in to change notification settings - Fork 24.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Granular privilege for GET /_license #94244
Comments
Pinging @elastic/es-security (Team:Security) |
I agree the
We don't advertise that because the exact names are subject to change and hiding them behind the privilege such as However, I think that since Logstash is a 1st party integration we may also want to consider introducing a service account specific for Logstash admin related functions. I am not too familiar with all that might be needed of that account and could be overkill if all you need is to read the license. However, it would be nice to keep first party integrations all working similarly. (note - the idea that the service account is only for admin functions and not for read/write indices) I'm not strongly against more granular (abstracted) privilege to read the license but we need to be careful to avoid an explosion of privileges. |
🤔 as it stands, each licensed Logstash feature is feature-gated by checking for the license using the Elasticsearch connection parameters that will subsequently be used to interact with Elasticsearch, with no abstraction to allow different credentials. This means that guidance for Logstash to use a custom role is effectively telling our users that in order to use any Elastic-licensed feature from Logstash, they will need a custom role that includes this unadvertised and potentially-fragile custom privilege. As it stands, we have 2 Elastic-licensed features, with at least one more on the way:
The solution may be eventually to add first-class license checking to Logstash, so that features that wish to use licensed features can check a Logsash-local API that in turn uses a minimally-privileged credentials to perform the check (possibly piggybacking on the |
Description
Currently, retrieving the license (
GET /_license
) is documented to require themonitor
privilege.When Elasticsearch-external tools like Logstash need to feature-gate licensed features, this requires our users to provide credentials that are larger in scope than would otherwise be necessary.
Would it be possible to introduce a more-granular privilege?
The text was updated successfully, but these errors were encountered: