[Security Solution] Add create_index to kibana_system role for Elastic Defend indices #115241
Conversation
…action.responses-*`
paul-tavares added >enhancement :Security/Authorization 
elasticsearchmachine added v9.0.0 external-contributor 
| Hi @paul-tavares, I've created a changelog YAML for you. |
…te-kibana-system-role-for-response-actions
…tem-role-for-response-actions' into task/olm-10840-update-kibana-system-role-for-response-actions
paul-tavares changed the title create_index to kibana_system role for index/DS .logs-endpoint.action.responses-*create_index to kibana_system role for Elastic Defend indices | Pinging @elastic/es-security (Team:Security) |
| // telemetry | ||
| RoleDescriptor.IndicesPrivileges.builder().indices(".logs-endpoint.diagnostic.collection-*").privileges("read").build(), | ||
| // telemetry and also creates the index when policies are first created | ||
| RoleDescriptor.IndicesPrivileges.builder() |
There was a problem hiding this comment.
Heya @paul-tavares
Question: It looks like the kibana_system user has had read access for a bit, can you provide any context as to why it needs to create these indexes now?
There was a problem hiding this comment.
Thanks @kc13greiner for looking at this PR.
This change is necessary in order to address the issues found last week when an attempt was made (and later backed out) to restrict DOT indices for serverless. I have updated the description of this PR to more clearly state the need for the changes, which I will include here now:
This change is required in support of restricting DOT indexes from being created by non-privileged users. Up until now, when the Elastic Defend package is installed via Fleet, the Datastream templates for a few DOT prefixed indices are installed. The indexes are then created the first time the Elastic Defend integration executable (running on host machines) streams it first document - which under the restriction (in serverless) the Elastic Defend executable will no longer be given privileges to do. The alternative is to have Kibana create the indexes prior to the endpoint streaming any documents to elastic search.
Let me know if you have any other questions...
(now: on to figure out whats wrong with the failing test... I may need some help there... 😁 )
There was a problem hiding this comment.
Thank you for the information!
…te-kibana-system-role-for-response-actions
…te-kibana-system-role-for-response-actions
…te-kibana-system-role-for-response-actions
| Ok. Finally the build is 🟢 . Ready for review |
There was a problem hiding this comment.
In general, we do not like to allowkibana_system anything other than read on system indices, but there are exceptions! (2/3 of the amended index privileges already have write and auto-configure). A restriction in serverless is definitely a good reason for an exception.
Thank you for the information - LGTM!
paul-tavares deleted the task/olm-10840-update-kibana-system-role-for-response-actions branch | Hey @kc13greiner - Do I need to tag this PR with anything so that it:
Also, thanks for your help and time on this. |
| Im not sure 😅 let's check with @elastic/es-security, do you know how the flow works? |
…astic Defend indices (elastic#115241) Adds create_index privilege to the kibana_system role for Elastic Defend internal indices Indices: ``` .logs-endpoint.heartbeat-* .logs-endpoint.diagnostic.collection-* .logs-endpoint.action.responses-* ```
…astic Defend indices (elastic#115241) Adds create_index privilege to the kibana_system role for Elastic Defend internal indices Indices: ``` .logs-endpoint.heartbeat-* .logs-endpoint.diagnostic.collection-* .logs-endpoint.action.responses-* ```
…astic Defend indices (elastic#115241) Adds create_index privilege to the kibana_system role for Elastic Defend internal indices Indices: ``` .logs-endpoint.heartbeat-* .logs-endpoint.diagnostic.collection-* .logs-endpoint.action.responses-* ```
3 participants
Description
Adds
create_indexprivilege to thekibana_systemrole for the following indices:.logs-endpoint.heartbeat-*.logs-endpoint.diagnostic.collection-*.logs-endpoint.action.responses-*This change is required in support of restricting DOT indexes from being created by non-privileged users. Up until now, when the Elastic Defend package is installed via Fleet, the Datastream templates for a few DOT prefixed indices are installed. The indexes are then created the first time the Elastic Defend integration executable (running on host machines) streams it first document - which under the restriction (in serverless) the Elastic Defend executable will no longer be given privileges to do. The alternative is to have Kibana create the indexes prior to the endpoint streaming any documents to elastic search.