-
Notifications
You must be signed in to change notification settings - Fork 24.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add elastic/enterprise-search-server service account #83325
Add elastic/enterprise-search-server service account #83325
Conversation
aca19ed
to
4a2a37a
Compare
"enterprise-search-server", | ||
new RoleDescriptor( | ||
NAMESPACE + "/enterprise-search-server", | ||
new String[] { "manage", "manage_ilm", "manage_index_templates", "manage_security", "monitor" }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
manage_security
is a very powerful privilege which basically means the account has unbounded privilege. Is it necessary for enterprise search's use case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Enterprise Search needs to be able to create/modify native users and Elasticsearch roles.
Is there a different privilege that could be used for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for clarification. In this case, manage_security
is the privilege to go. We don't have separate privileges for working with users and roles only.
I understand this must be how Enterprise Search always works. But it would be great if we could learn about its details and potentially work out something that allows us moving away from manage_security
in future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another point is about the manage
privilege, it covers all manage_ilm
, manage_index_templates
and monitor
(but not manage_security
). It is also a powerful privilege. What actions do Enterprise Search need it for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
manage_ilm
- Enterprise Search creates several data streams for logging events, for example analytics events or API logs. These data streams have an ILM policy that is created by Enterprise Search.
manage_index_templates
- we use composable index templates for these data streams to ensure that they are ECS compatible
monitor
- Enterprise Search needs cluster information, such as the cluster health and node information. For example, when Enterprise Search starts, it waits for the cluster to be healthy. Node information is useful to determine what plugins are available, for example we use analysis-icu
if it is available.
I understand this must be how Enterprise Search always works. But it would be great if we could learn about its details and potentially work out something that allows us moving away from manage_security in future.
I agree. Is there an issue if we remove this cluster privilege for the service account some time in future when Enterprise Search no longer needs it? I don't think it is, but just asking to be sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree. Is there an issue if we remove this cluster privilege for the service account some time in future when Enterprise Search no longer needs it? I don't think it is, but just asking to be sure.
If we don't have Enterprise Search on older versions talking to ES on new versions with reduced privieges, it should not be an issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ioanatia Thanks for clarifing the intended usage for manage_ilm
, manage_index_templates
and monitor
. Do they already cover all that is necessary for Enterprise Search? Sorry if it wasn't clear, but my original question was whether we can drop manage
if there is nothing else required outside of the three more fine-grained privileges. Examples of extra privileges granted by manage
are manage_ml
, manage_watcher
, manage_slm
, manage_pipeline
etc. Do Enterprise Searh need any of these extra privileges?
.privileges( | ||
"create", | ||
"create_index", | ||
"delete", | ||
"delete_index", | ||
"index", | ||
"manage", | ||
"manage_ilm", | ||
"monitor", | ||
"read", | ||
"view_index_metadata", | ||
"write" | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The manage
privilege covers create_index
, delete_index
, manage_ilm
, monitor
and view_index_metadata
. The write
privilege covers create
, delete
and index
. So this list can be simplied down to ["read", "write", "manage"]
.
Above privileges combined are very close to the all
privilege. The only actions that are not granted are proxy CCS related ones, e.g. internal:transport/proxy/indices:data/read/*
. Is CCS something enterprise search needs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is CCS something enterprise search needs?
I don't think we need it at this stage, so we can just change this to ["read", "write", "manage"]
as you suggested.
Pinging @elastic/es-security (Team:Security) |
The v7 REST compat test fails because there are now 3 service accounts instead of 2. This particular yaml test was not well written to be friendly for REST compat test. For now, I suggest that we skip it. I raised #83564 and will fix it with a separate PR. You can skip the test by apply the following patch. Thanks! diff --git a/x-pack/plugin/build.gradle b/x-pack/plugin/build.gradle
index ce010eae6b3..1ec97158200 100644
--- a/x-pack/plugin/build.gradle
+++ b/x-pack/plugin/build.gradle
@@ -113,6 +113,7 @@ tasks.named("yamlRestTestV7CompatTransform").configure{ task ->
task.skipTest("indices.freeze/20_stats/Translog stats on frozen indices", "#70192 -- the freeze index API is removed from 8.0")
task.skipTest("indices.freeze/10_basic/Basic", "#70192 -- the freeze index API is removed from 8.0")
task.skipTest("indices.freeze/10_basic/Test index options", "#70192 -- the freeze index API is removed from 8.0")
+ task.skipTest("service_accounts/10_basic/Test get service accounts", "new service accounts are added")
task.replaceValueInMatch("_type", "_doc")
task.addAllowedWarningRegex("\\[types removal\\].*") |
a1d262e
to
c54ada6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Also answer my own question: I noticed that the test asserts privilege for updating cluster setting, which requires the manage
cluster privilege.
// manage | ||
assertThat(role.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: cluster health is covered by the monitor
privilege.
Hi @ioanatia, I've created a changelog YAML for you. |
Add an
elastic/enterprise-search-server
service account similar toelastic/kibana
andelastic/fleet-server
.Still WIP because I might need to adapt some tests and also need to test it a bit more with Enterprise Search.