From 1de384970bc6d9414296f7f917385f246ec903e7 Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Wed, 5 Jun 2019 15:33:16 -0700 Subject: [PATCH 01/10] docs: add APM xpack users and roles --- libbeat/docs/security/users.asciidoc | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/libbeat/docs/security/users.asciidoc b/libbeat/docs/security/users.asciidoc index 92c424c20b9f..029ad23d158b 100644 --- a/libbeat/docs/security/users.asciidoc +++ b/libbeat/docs/security/users.asciidoc @@ -106,6 +106,7 @@ need to perform: |==== |Task | Required privileges and roles +ifndef::apm-server[] .3+|Send data to a secured cluster without index lifecycle management |`monitor` on cluster ifeval::["{beatname_lc}"=="filebeat"] @@ -114,11 +115,20 @@ endif::[] |`create_index` and `index` on +{beat_default_index_prefix}-*+ indices |also requires privileges to <> unless you've disabled automatic template loading +endif::apm-server[] + +ifdef::apm-server[] +.2+|Send data to a secured cluster without index lifecycle management +|`manage_index_templates` and `monitor` on cluster +|`create_index` and `write` on +{beat_default_index_prefix}-*+ indices +endif::apm-server[] .2+|Send data to a secured cluster that supports index lifecycle management -|`manage_index_templates`,`manage_ilm` footnote:[Use `read_ilm` instead of -`manage_ilm` if you pre-loaded the lifecycle policy], and `monitor` -on cluster +|`manage_index_templates`, `manage_ilm` +ifndef::apm-server[] +footnote:[Use `read_ilm` instead of `manage_ilm` if you pre-loaded the lifecycle policy] +endif::apm-server[] +, and `monitor` on cluster ifeval::["{beatname_lc}"=="filebeat"] (and `manage_pipeline` if {beatname_uc} modules are used) endif::[] @@ -153,6 +163,7 @@ perform: |==== |Task | Required privileges and roles +ifndef::no_dashboards[] .2+|View {beatname_uc} dashboards |`read` on +{beat_default_index_prefix}-*+ indices |`kibana_dashboard_only_user` role @@ -160,6 +171,12 @@ perform: .2+|View and edit {beatname_uc} dashboards |`read` on +{beat_default_index_prefix}-*+ indices |`kibana_user` role +endif::no_dashboards[] + +ifdef::apm-server[] +|Use the APM UI +|`kibana_user` and `apm_user` roles +endif::apm-server[] ifdef::has_central_config[] .2+|Create and manage configurations in Beats central management From 81efb5e7c7e76c9b19e0fa75af27dfd79eff6860 Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Wed, 5 Jun 2019 15:47:00 -0700 Subject: [PATCH 02/10] add apm ifndef for ilm --- libbeat/docs/command-reference.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libbeat/docs/command-reference.asciidoc b/libbeat/docs/command-reference.asciidoc index 6f6f0806ba23..e27e5fa6d8b5 100644 --- a/libbeat/docs/command-reference.asciidoc +++ b/libbeat/docs/command-reference.asciidoc @@ -196,9 +196,11 @@ endif::no_dashboards[] Exports the index template to stdout. You can specify the `--es.version` and `--index` flags to further define what gets exported. +ifndef::apm-server[] [[ilm-policy-subcommand]] *`ilm-policy`*:: Exports ILM policy to stdout. +endif::apm-server[] *FLAGS* From df739e9dac2430384b6827e5be8dd95efcf8cf70 Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Wed, 5 Jun 2019 15:47:12 -0700 Subject: [PATCH 03/10] change xpack.monitoring to monitoring --- libbeat/docs/monitoring/monitoring-beats.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libbeat/docs/monitoring/monitoring-beats.asciidoc b/libbeat/docs/monitoring/monitoring-beats.asciidoc index 2015d9719039..c750eefbea58 100644 --- a/libbeat/docs/monitoring/monitoring-beats.asciidoc +++ b/libbeat/docs/monitoring/monitoring-beats.asciidoc @@ -40,7 +40,7 @@ the same {es} cluster, specify the following minimal configuration: -- ["source","yml",subs="attributes"] -------------------- -xpack.monitoring: +monitoring: enabled: true elasticsearch: username: {beat_monitoring_user} From 4ecc712871b1e49172e556f81eda3115b0c251cb Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Fri, 7 Jun 2019 10:18:59 -0700 Subject: [PATCH 04/10] feedback from reviewers --- libbeat/docs/security/basic-auth.asciidoc | 2 ++ libbeat/docs/security/users.asciidoc | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/libbeat/docs/security/basic-auth.asciidoc b/libbeat/docs/security/basic-auth.asciidoc index fa7ac9de12ca..02f276f17d3c 100644 --- a/libbeat/docs/security/basic-auth.asciidoc +++ b/libbeat/docs/security/basic-auth.asciidoc @@ -27,6 +27,7 @@ output.elasticsearch: <2> The example shows a hard-coded password, but you should store sensitive values in the <>. -- +ifndef::apm-server[] + If you've configured the {kib} endpoint, also specify credentials for authenticating with {kib}. For example: @@ -39,6 +40,7 @@ setup.kibana: password: "{pwd}" ---- <1> Let's assume this user has the privileges required to set up dashboards. +endif::apm-server[] * To use Public Key Infrastructure (PKI) certificates to authenticate users, configure the `certificate` and `key` settings. These settings assume that the diff --git a/libbeat/docs/security/users.asciidoc b/libbeat/docs/security/users.asciidoc index 029ad23d158b..4ab00c333594 100644 --- a/libbeat/docs/security/users.asciidoc +++ b/libbeat/docs/security/users.asciidoc @@ -62,6 +62,12 @@ ifeval::["{beatname_lc}"=="filebeat"] |`ingest_admin` role endif::[] +ifdef::apm-server[] +.2+|Set up ingest pipelines +|`monitor` on cluster +|`ingest_admin` role +endif::apm-server[] + .2+|Set up index lifecycle policies |`manage_ilm`, `manage_index_templates`, and `monitor` on cluster |`manage` on +{beat_default_index_prefix}-*+ indices From 1a850674b8e0d56d8362d9a9786c8ce669177cff Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Tue, 11 Jun 2019 10:02:46 -0700 Subject: [PATCH 05/10] remove manage_index_templates from ingest --- libbeat/docs/security/users.asciidoc | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/libbeat/docs/security/users.asciidoc b/libbeat/docs/security/users.asciidoc index 4ab00c333594..26af97deffca 100644 --- a/libbeat/docs/security/users.asciidoc +++ b/libbeat/docs/security/users.asciidoc @@ -121,24 +121,30 @@ endif::[] |`create_index` and `index` on +{beat_default_index_prefix}-*+ indices |also requires privileges to <> unless you've disabled automatic template loading -endif::apm-server[] - -ifdef::apm-server[] -.2+|Send data to a secured cluster without index lifecycle management -|`manage_index_templates` and `monitor` on cluster -|`create_index` and `write` on +{beat_default_index_prefix}-*+ indices -endif::apm-server[] .2+|Send data to a secured cluster that supports index lifecycle management |`manage_index_templates`, `manage_ilm` -ifndef::apm-server[] footnote:[Use `read_ilm` instead of `manage_ilm` if you pre-loaded the lifecycle policy] -endif::apm-server[] , and `monitor` on cluster ifeval::["{beatname_lc}"=="filebeat"] (and `manage_pipeline` if {beatname_uc} modules are used) endif::[] | `index` and `manage` on +{beat_default_index_prefix}-*+ indices +endif::apm-server[] + +ifdef::apm-server[] +.2+|Send data to a secured cluster without index lifecycle management +|`monitor` on cluster +|`create_index` and `write` on +{beat_default_index_prefix}-*+ indices +|also requires privileges to <> +unless you've disabled automatic template loading: `setup.template.enabled=false` + +.2+|Send data to a secured cluster that supports index lifecycle management +|`manage_ilm` and `monitor` on cluster +| `index` and `manage` on +{beat_default_index_prefix}-*+ indices +|also requires privileges to <> +unless you've disabled automatic template loading: `setup.template.enabled=false` +endif::apm-server[] ifdef::has_central_config[] .2+|Read configurations from Beats central management From 647d4dfcacfae106cb3bb006475004c08851bf3a Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Tue, 11 Jun 2019 10:04:57 -0700 Subject: [PATCH 06/10] diff cleanup --- libbeat/docs/security/users.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libbeat/docs/security/users.asciidoc b/libbeat/docs/security/users.asciidoc index 26af97deffca..51b799df3f00 100644 --- a/libbeat/docs/security/users.asciidoc +++ b/libbeat/docs/security/users.asciidoc @@ -123,9 +123,9 @@ endif::[] unless you've disabled automatic template loading .2+|Send data to a secured cluster that supports index lifecycle management -|`manage_index_templates`, `manage_ilm` -footnote:[Use `read_ilm` instead of `manage_ilm` if you pre-loaded the lifecycle policy] -, and `monitor` on cluster +|`manage_index_templates`, `manage_ilm` footnote:[Use `read_ilm` instead of +`manage_ilm` if you pre-loaded the lifecycle policy], and `monitor` +on cluster ifeval::["{beatname_lc}"=="filebeat"] (and `manage_pipeline` if {beatname_uc} modules are used) endif::[] From 0153e57103188fa4cd12aae24dcd66863c71989b Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Tue, 11 Jun 2019 12:52:43 -0700 Subject: [PATCH 07/10] docs: persist APM cloud bug fix --- libbeat/docs/outputconfig.asciidoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libbeat/docs/outputconfig.asciidoc b/libbeat/docs/outputconfig.asciidoc index ad5de7eb79fb..47950809a9f5 100644 --- a/libbeat/docs/outputconfig.asciidoc +++ b/libbeat/docs/outputconfig.asciidoc @@ -1569,7 +1569,9 @@ endif::[] ifdef::apm-server[] NOTE: This page refers to using a separate instance of APM Server with an existing Elasticsearch Service deployment. -APM Server is not yet supported on Elasticsearch Service. +If you want to use APM on Elastic Cloud, see the cloud docs: +{cloud}/ec-create-deployment.html[Create your deployment] or +{cloud}/ec-manage-apm-settings.html[Add APM user settings]. endif::apm-server[] {beatname_uc} comes with two settings that simplify the output configuration From 09186c2b9982b7a1384f51b2f87154f5ccf0adc9 Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Tue, 11 Jun 2019 13:34:06 -0700 Subject: [PATCH 08/10] docs: add ESS link --- libbeat/docs/outputconfig.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libbeat/docs/outputconfig.asciidoc b/libbeat/docs/outputconfig.asciidoc index 47950809a9f5..cca94b9d07cd 100644 --- a/libbeat/docs/outputconfig.asciidoc +++ b/libbeat/docs/outputconfig.asciidoc @@ -1568,7 +1568,8 @@ endif::[] ++++ ifdef::apm-server[] -NOTE: This page refers to using a separate instance of APM Server with an existing Elasticsearch Service deployment. +NOTE: This page refers to using a separate instance of APM Server with an existing +https://www.elastic.co/cloud/elasticsearch-service[Elasticsearch Service deployment]. If you want to use APM on Elastic Cloud, see the cloud docs: {cloud}/ec-create-deployment.html[Create your deployment] or {cloud}/ec-manage-apm-settings.html[Add APM user settings]. From 20f0148d2887be5668f95cf813487d9169b3767f Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Wed, 12 Jun 2019 10:15:59 -0700 Subject: [PATCH 09/10] fix bug in apm table --- libbeat/docs/security/users.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libbeat/docs/security/users.asciidoc b/libbeat/docs/security/users.asciidoc index 51b799df3f00..6f00c293717e 100644 --- a/libbeat/docs/security/users.asciidoc +++ b/libbeat/docs/security/users.asciidoc @@ -133,13 +133,13 @@ endif::[] endif::apm-server[] ifdef::apm-server[] -.2+|Send data to a secured cluster without index lifecycle management +.3+|Send data to a secured cluster without index lifecycle management |`monitor` on cluster |`create_index` and `write` on +{beat_default_index_prefix}-*+ indices |also requires privileges to <> unless you've disabled automatic template loading: `setup.template.enabled=false` -.2+|Send data to a secured cluster that supports index lifecycle management +.3+|Send data to a secured cluster that supports index lifecycle management |`manage_ilm` and `monitor` on cluster | `index` and `manage` on +{beat_default_index_prefix}-*+ indices |also requires privileges to <> From 72f854bd148b5b145ddc431f335931719be6178b Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Wed, 12 Jun 2019 10:48:17 -0700 Subject: [PATCH 10/10] change no_dashboards to apm-server --- libbeat/docs/security/users.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libbeat/docs/security/users.asciidoc b/libbeat/docs/security/users.asciidoc index 6f00c293717e..ab2e1b22f966 100644 --- a/libbeat/docs/security/users.asciidoc +++ b/libbeat/docs/security/users.asciidoc @@ -175,7 +175,7 @@ perform: |==== |Task | Required privileges and roles -ifndef::no_dashboards[] +ifndef::apm-server[] .2+|View {beatname_uc} dashboards |`read` on +{beat_default_index_prefix}-*+ indices |`kibana_dashboard_only_user` role @@ -183,7 +183,7 @@ ifndef::no_dashboards[] .2+|View and edit {beatname_uc} dashboards |`read` on +{beat_default_index_prefix}-*+ indices |`kibana_user` role -endif::no_dashboards[] +endif::apm-server[] ifdef::apm-server[] |Use the APM UI