From 936ad0bac1a1828a04bc9e62846ce32a11ff8bd4 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Mon, 15 Jun 2020 04:29:16 -0700 Subject: [PATCH] Add ILM policy PUT and GET for remote_monitoring_agent built-in role (#57963) Without this fix, users who try to use Metricbeat for Stack Monitoring today see the following error repeatedly in their Metricbeat log. Due to this error Metricbeat is unwilling to proceed further and, thus, no Stack Monitoring data is indexed into the Elasticsearch cluster. Co-authored-by: Albert Zaharovits --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 3 ++- .../core/security/authz/store/ReservedRolesStoreTests.java | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index da45dd96dea73..2e600d9bdb61e 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -70,9 +70,10 @@ private static Map initializeReservedRoles() { .put("remote_monitoring_agent", new RoleDescriptor("remote_monitoring_agent", new String[] { "manage_index_templates", "manage_ingest_pipelines", "monitor", + GetLifecycleAction.NAME, PutLifecycleAction.NAME, "cluster:monitor/xpack/watcher/watch/get", "cluster:admin/xpack/watcher/watch/put", - "cluster:admin/xpack/watcher/watch/delete", + "cluster:admin/xpack/watcher/watch/delete" }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder().indices(".monitoring-*").privileges("all").build(), diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 6dc54f90ab041..2b45206845519 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -609,6 +609,9 @@ public void testRemoteMonitoringAgentRole() { assertThat(remoteMonitoringAgentRole.cluster().check(ActivateWatchAction.NAME, request, authentication), is(false)); assertThat(remoteMonitoringAgentRole.cluster().check(WatcherServiceAction.NAME, request, authentication), is(false)); assertThat(remoteMonitoringAgentRole.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false)); + // ILM + assertThat(remoteMonitoringAgentRole.cluster().check(GetLifecycleAction.NAME, request, authentication), is(true)); + assertThat(remoteMonitoringAgentRole.cluster().check(PutLifecycleAction.NAME, request, authentication), is(true)); // we get this from the cluster:monitor privilege assertThat(remoteMonitoringAgentRole.cluster().check(WatcherStatsAction.NAME, request, authentication), is(true));