Allow access to restricted system indices for reserved system roles #76845
Conversation
williamrandolph
added
:Core/Infra/Core
elasticmachine
added
Team:Core/Infra
|
Pinging @elastic/es-security (Team:Security) |
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
|
I verified this resolved the startup issue we're seeing with the promotion of the nightly snapshot for Kibana. |
| .indices("*") | ||
| .privileges("view_index_metadata", "monitor").build(), | ||
| .privileges("view_index_metadata", "monitor") | ||
| .allowRestrictedIndices(true).build(), |
There was a problem hiding this comment.
This change allows the kibana_system user to have some access to the .security index. I don't think this is what we want.
There was a problem hiding this comment.
I went through the list of system indices and pared down where I was allowing restricted indices to just the places where we are dealing with system indices, so I hope I've addressed this concern.
There was a problem hiding this comment.
Yes the change addressed my previous comment, thanks. But we still have another semantic change: before the #74212, this index privilege allow kibana to monitor and view_index_metadata for indices like .watches, .triggered_watches. These indices are now no longer accessible for kibana_system. Maybe this is the right thing to do. But I'd like to double check whether this is intentional.
|
It looks to me like this issue slipped through because Can we update it to include the complete set of out-of-the-box system indices? |
A missing piece in elastic#74212 was system index patterns in the tests for the ReservedRolesStore. Without these patterns, the tests did not accurately check whether a role was incorrectly accessing a system index that was not previously a restricted index. This commit adds all of the current system index patterns to the test class and adds restricted index access to the system roles that need it for tests to pass.
|
Thanks for the pointer. I think that is exactly the issue. I've manually added all the system index patterns to the |
williamrandolph
changed the title
...core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
Outdated
Show resolved
Hide resolved
...core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
Outdated
Show resolved
Hide resolved
| .indices("*") | ||
| .privileges("view_index_metadata", "monitor").build(), | ||
| .privileges("view_index_metadata", "monitor") | ||
| .allowRestrictedIndices(true).build(), |
There was a problem hiding this comment.
Yes the change addressed my previous comment, thanks. But we still have another semantic change: before the #74212, this index privilege allow kibana to monitor and view_index_metadata for indices like .watches, .triggered_watches. These indices are now no longer accessible for kibana_system. Maybe this is the right thing to do. But I'd like to double check whether this is intentional.
There was a problem hiding this comment.
The way how privileges are granted to restricted indices feels brittle to me. It requires checking and matching names from different places carefully (as well as adding them to tests). But maybe it is because this PR is a one-time mass update. It may feel alright for future smaller changes. Also I don't have a good suggestion for alternatives.
I think we need a conclusion on kibana_system's monitor and view_index_metadata access for *. Should we strictly maintain the previous semantic or are we ok to change? I am ok either way as long as we are conscious on the decision. Thanks!
|
@ywangd In the I think it could be argued that we should exclude other system indices from data telemetry, but I'm not sure about that, and I don't want it to hold up getting this merged. |
|
@elasticmachine test this please |
There was a problem hiding this comment.
LGTM
I think it could be argued that we should exclude other system indices from data telemetry
I tend to agree especially this change is 8.0 only. But I am not familiar with all system indices and how they should be surfaced by Kibana. I think it needs input from people who are more familiar with its usage (maybe a round of emails?). For this PR, I think maintaining the exact same semantic is the safest.
Can I also suggest we add a few more assertions about kibana_system cannot view metadata or monitor .security* and .async-search*? The current assertions only ensure no read or write access to the indices, but not metadata level access. I think this is also why the test didn't tripped on the first version of this PR.
|
@ywangd Thank you for the review and for the final suggestion about checking the metadata privileges. I've added the test for it. @tylersmalley I'll be letting tests run overnight and merging this first thing tomorrow. Apologies for the delays. |
I think there is where we should end up. |
After we merged #74212 , the Kibana team saw permissions errors at startup.
The cause of this is that all system indices are now restricted indices from the perspective of security, when previously the only restricted indices were security and async search indices. In that PR, we didn't update the reserved system roles so that the ones that access system indices have
allowRestrictedIndices = true.We can find the roles that need this change by adding system index patterns to the
TestRestrictedIndicesclass and looking for failures inReservedRolesStoreTests.The fixes for the particular kibana issue are the updates to the
kibana_systemrole.