-
Notifications
You must be signed in to change notification settings - Fork 8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support "remote_cluster" in ES role definition #182035
Comments
Pinging @elastic/kibana-security (Team:Security) |
@jakelandis thanks for opening this. Is the Get builtin privileges API updated to reflect this new set of privileges? If not, can it be updated to support a new |
That API lists all the index or cluster privileges. "remote_cluster" is not a new privilege. Rather it is a new way to express existing cluster privileges for named remote clusters. Since there are not any new privileges, no need to for that API to get an update. |
This API primarily exists in order to power the dropdown controls on our role management UI. Having a dedicated property which describes the allowed privileges to assign to the The alternative is for us to hardcode the list of allowed remote cluster privileges in Kibana. History has proved that this will deviate over time from what ES expects, leading to regressions. |
Ah... i see what you are asking for now. You want
So you can provide better support from the drop down box. ++ I can add that information to the API (but in a follow up to elastic/elasticsearch#107493). Will report back here when that is done (hopefully this week). |
Yes, exactly - sorry for not being clearer in my original request. Thank you for taking a look! |
@jakelandis is there an issue we can follow to track this request? |
I logged an internal task: ES-8539 |
ES is adding a new object to the role definition via elastic/elasticsearch#107493. This new part of the role is allows users to express the remote cluster level privileges allowed for different clusters when using the API key security model. This is the cluster level set of permissions to match the existing "remote_indices" index permissions.
The initial release will only allow for
monitor_enrich
since it is the only supported cross cluster privilege in use. It will be required when the query is sent over CCS, the query is written in ES|QL, the ES|QL query uses the ENRICH keyword, and the CCS security model is API key based (RCS 2.0). Note - ES|QL over CCS is still technical preview for 8.14.All validation is done in ES and the expectation is for Kibana adds the new "remote_cluster" as part of the create/update/view role definition. The data model is as it appears where there is at most one root "remote_cluster" array of objects per role. There can be multiple (anonymous) objects in the array, and each object has 2 named arrays of strings. The inner "clusters" array is identical to the "clusters" array in "remote_indices" and the "privileges" array are simple strings with validation of correctness is handled by ES.
and
The text was updated successfully, but these errors were encountered: