Skip to content

[Fleet] added privileges to write metrics-fleet_server* #100574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 10, 2023
Merged

[Fleet] added privileges to write metrics-fleet_server* #100574

merged 1 commit into from
Oct 10, 2023

Conversation

@juliaElastic
Copy link
Contributor

@juliaElastic juliaElastic commented Oct 10, 2023
edited
Loading

  • Have you signed the contributor license agreement? yes
  • Have you followed the contributor guidelines? yes
  • If submitting code, have you built your formula locally prior to submission with gradle check? yes
  • If submitting code, is your pull request against main? Unless there is a good reason otherwise, we prefer pull requests against main and will backport as needed. yes
  • If submitting code, have you checked that your submission is for an OS and architecture that we support? yes
  • If you are submitting this code for a class then read our policy for that.

Required for elastic/kibana#168435 to allow kibana task to write agent metrics to metrics-fleet_server* data streams that will be installed by fleet-server integration.
@juliaElastic juliaElastic self-assigned this Oct 10, 2023
@elasticsearchmachine elasticsearchmachine added v8.12.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Oct 10, 2023
@juliaElastic juliaElastic marked this pull request as ready for review October 10, 2023 09:09
@juliaElastic juliaElastic requested a review from a team as a code owner October 10, 2023 09:09
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Oct 10, 2023
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Oct 10, 2023

Pinging @elastic/es-core-infra (Team:Core/Infra)
juliaElastic
juliaElastic commented Oct 10, 2023
View reviewed changes
...va/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
// Fleet telemetry queries Agent Logs indices in kibana task runner
RoleDescriptor.IndicesPrivileges.builder().indices("logs-elastic_agent*").privileges("read").build(),
// Fleet publishes Agent metrics in kibana task runner
RoleDescriptor.IndicesPrivileges.builder().indices("metrics-fleet_server*").privileges("auto_configure", "write").build(),
Copy link
Contributor Author

@juliaElastic juliaElastic Oct 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

write to allow creating documents
auto_configure to allow creation of index when creating documents if doesn't exist
@kc13greiner kc13greiner self-requested a review October 10, 2023 12:38
kc13greiner
kc13greiner approved these changes Oct 10, 2023
View reviewed changes
Copy link
Contributor

@kc13greiner kc13greiner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++LGTM; metrics-*-* are part of Fleet's data indexes for which kibana_system should be allowed elevated privileges and this pattern is appropriately listed in the docs as a potential collision pattern.
@juliaElastic juliaElastic merged commit d923414 into elastic:main Oct 10, 2023
@juliaElastic juliaElastic mentioned this pull request Oct 11, 2023
Merged
This was referenced Nov 21, 2023
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

:Core/Infra/Plugins Plugin API and infrastructure external-contributor Pull request authored by a developer outside the Elasticsearch team >non-issue Team:Core/Infra Meta label for core/infra team Team:Fleet v8.12.0

3 participants

@juliaElastic @elasticsearchmachine @kc13greiner