Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not check for alias when setup.ilm.check_exists is false #13848

Merged
merged 3 commits into from
Oct 3, 2019

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented Sep 30, 2019

Currently, setting setup.ilm.check_exists to false only turns off checking if the ILM policy exists (GET _ilm/policy/{name}).

This would expand that to also turn off checking if an alias exists (GET _alias/{name}).

The advantage would be that with setup.ilm.check_exists set to false the view_index_metadata privilege would no longer be required, leaving only the monitor cluster privilege and create index privileges as the only privileges that are always required to publish data from Beats.

Instead of changing the behavior of setup.ilm.check_exists we could also introduce a new configuration option. I like keeping it simple though, so only a single change to the config file is necessary for minimal privileges.

This is one of three PRs to reduce the Beats privileges required in code and documentation:

  1. Use less restrictive API to check if template exists (Use less restrictive API to check if template exists #13847)
  2. Do not check for alias when setup.ilm.check_exists is false (this PR)
  3. Docs: Update writer role with least required privileges (Docs: Update writer role with least required privileges #13849)

Relates: #10241

@cwurm cwurm added the libbeat label Sep 30, 2019
@cwurm cwurm requested a review from urso September 30, 2019 10:08
@cwurm cwurm force-pushed the ilm_check_exists_expand branch from 16909a1 to 2ece894 Compare October 2, 2019 11:03
@cwurm cwurm force-pushed the ilm_check_exists_expand branch from 2ece894 to 7709689 Compare October 3, 2019 08:41
@cwurm cwurm merged commit 7f4c584 into elastic:master Oct 3, 2019
@cwurm cwurm deleted the ilm_check_exists_expand branch October 3, 2019 10:53
cwurm pushed a commit that referenced this pull request Oct 14, 2019
Updates the writer role documentation based on #13847 and #13848. Also corrects some mistakes.
1. Changes `read from` to the correct `write to` (Beats does not read from indices).
2. Setting `setup.template.enabled` to `false` is no longer necessary after #13847.
3. Setting `setup.ilm.overwrite` to `false` is unnecessary if `setup.ilm.check_exists` is already `false` (even today).
4. Adds a note about only `monitor` and `create_doc` being always necessary, explicitly calling out the most secure configuration (following #13847 and #13848).
5. Correct what `monitor` is for: It's for checking things like cluster version and license, not "sending monitor info".
6. Replaces `manage_pipeline` with the read-only `cluster:admin/ingest/pipeline/get`. Unfortunately, there is no read-only cluster role for pipelines, so it requires this privilege. But better than the very permissive `manage_pipeline` that allows changing any pipeline.
7. Changes `index` to the more restrictive, append-only `create_doc` (introduced in elastic/elasticsearch#45806).
@urso urso added the v7.5.0 label Oct 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants