Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security - kibana_system - add delete privileges for synthetics #85844

Merged
merged 6 commits into from
Apr 20, 2022
Merged

Security - kibana_system - add delete privileges for synthetics #85844

merged 6 commits into from
Apr 20, 2022

Conversation

dominiqueclarke
Copy link
Contributor

@dominiqueclarke dominiqueclarke commented Apr 12, 2022
edited
Loading

Resolves elastic/uptime#467

As part of elastic/uptime#462, Uptime will introduce default ILM policies with default delete phases for the synthetics-http, synthetics-tcp, synthetics-icmp, synthetics-brower, synthetics-browser.network and synthetics-browser.screenshot data sets.

To support this work, the Kibana system user must have extended privileges to delete data streams associated with these data sets.

@elasticsearchmachine elasticsearchmachine added v8.3.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Apr 12, 2022
@dominiqueclarke dominiqueclarke added :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team labels Apr 12, 2022
@dominiqueclarke dominiqueclarke marked this pull request as ready for review April 12, 2022 20:38
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@dominiqueclarke dominiqueclarke changed the title security - kibana_system - add delete privileges for synthetics Security - kibana_system - add delete privileges for synthetics Apr 12, 2022
@ywangd
Copy link
Member

ywangd commented Apr 12, 2022

ping @elastic/kibana-security

azasypkin
azasypkin reviewed Apr 13, 2022
View reviewed changes
...core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -777,7 +777,13 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) {
"metrics-apm-*",
"metrics-apm.*-*",
"traces-apm-*",
"traces-apm.*-*"
"traces-apm.*-*",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: it'd make sense to mention Synthetics in the comment above.

...core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
Comment on lines +781 to +786
"synthetics-http-*",
"synthetics-icmp-*",
"synthetics-tcp-*",
"synthetics-browser-*",
"synthetics-browser.network-*",
"synthetics-browser.screenshot-*"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: do we document these patterns anywhere like we do for APM patterns (dataset part in particular, http/icmp/tcp/browser/browser.network/browser.screenshot)? I wanted to make sure there are no typos in the names and so on, but couldn't quickly find any references.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately no, we do have this docs ticket where we will address in the future elastic/synthetics#286

@joshdover joshdover mentioned this pull request Apr 14, 2022
Open
joshdover
joshdover approved these changes Apr 14, 2022
View reviewed changes
Copy link
Contributor

@joshdover joshdover left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed this matches the needs of the new ILM policies added in elastic/integrations#2744

@dominiqueclarke
Copy link
Contributor Author

@azasypkin @joshdover I'm not a ES contributor, so I'm hoping one of you can tell me what elasticsearch-ci/part-1-fips is and if I need to worry about the CI failure there.

Also, I have not updated this branch in a week. Do I need to merge upstream similar to Kibana?

@ywangd
Copy link
Member

ywangd commented Apr 20, 2022

@elasticmachine update branch

@ywangd
Copy link
Member

ywangd commented Apr 20, 2022

@dominiqueclarke The above "update branch" should most likely fixes the CI failure.

@dominiqueclarke dominiqueclarke merged commit 80f9050 into elastic:master Apr 20, 2022
@dominiqueclarke dominiqueclarke deleted the feature/security-kibana_system-synthetics-delete branch April 20, 2022 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azasypkin azasypkin azasypkin left review comments

@joshdover joshdover joshdover approved these changes

@emilioalvap emilioalvap Awaiting requested review from emilioalvap

Assignees
No one assigned
Labels
>enhancement external-contributor Pull request authored by a developer outside the Elasticsearch team :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team v8.3.0
Projects
None yet
Milestone
No milestone
6 participants
@dominiqueclarke @elasticmachine @ywangd @azasypkin @joshdover @elasticsearchmachine