New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Allow kibana_system to put datastream lifecycle #97732
Conversation
@nchaulet please enable the option "Allow edits and access to secrets by maintainers" on your PR. For more information, see the documentation. |
7765bb0
to
fd139ee
Compare
…fleet-put-datastream-lifecycle
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Related kibana PR elastic/kibana#162078
Unfortunately the only description this PR has is Work in progress
. Just for the record and context, could you please explain in a bit more detail why In Fleet we need to be able to update datastream lifecycle when we install/update a package
(considering that it wasn't necessary before)?
Otherwise, LGTM from Kibana point of view.
UpdateSettingsAction.NAME, | ||
PutMappingAction.NAME, | ||
RolloverAction.NAME, | ||
"indices:admin/data_stream/lifecycle/put" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Cannot you use PutDataStreamLifecycleAction.NAME
to not hardcode the string?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to import PutDataStreamLifecycleAction here but without sucess java was not compiling
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it, maybe ES team can guide on that then. In any case, it's not a big deal, just an optional nit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The xpack core module/plugin doesn't have direct visibility to the dlm module/plugin which is why you can't reference the name directly. I would have a minor preference to put the action name in a variable in IndexPrivilege.java so that it is more centralized.
The core the change here (adding the priv) seems fine to me but @n1v0lg - can you take a look too, i don't remember the details of the this feature you assisted with.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If .logs-endpoint.action.responses-*
and the other indices with the leading dot are not system indices/system data streams, this change is fine as is. Otherwise, we'd have to update the internal user privileges here as well: https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUsers.java#L133
@nchaulet could you confirm those are not system indices/system data streams? I don't think they are since the privilege definition does not include allowRestrictedIndices
but just double-checking.
As far the privilege itself goes, "indices:admin/data_stream/lifecycle/put"
is fine -- there is also a named privilege manage_data_stream_lifecycle
which grants access to the PUT, GET, and DELETE data stream lifecycle APIs. If only updating is required though, going with the specific action as you do works and is good in terms of least privilege.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the .logs-*
are not system indices just some hidden datastreams used by elastic agent and defined in integrations.
It seems we only need the PUT currently
@azasypkin just updated the PR with a litle more than "Work in progress", to resume here Fleet was not installing DLM before 8.10 so it's why it was not necessary before. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Pinging @elastic/es-security (Team:Security) |
@elasticmachine update branch |
Hi @nchaulet, I've created a changelog YAML for you. |
@nchaulet just a heads up: I added the missing labels (including |
…fleet-put-datastream-lifecycle
…fleet-put-datastream-lifecycle
Description
In Fleet we need to be able to update datastream lifecycle when we install/update a package, that PR fix that by
allowing
kibana_system
to put datastream lifecycle.Related kibana PR elastic/kibana#162078