Skip to content

Commit

Permalink
Add delete privilege to kibana_system for APM and Endpoint ILM polici…
Browse files Browse the repository at this point in the history
…es (#81811) (#81873)

Co-authored-by: Elastic Machine <[email protected]>
  • Loading branch information
joshdover and elasticmachine authored Jan 4, 2022
1 parent 9961784 commit 1f1063b
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
import org.elasticsearch.action.admin.cluster.remote.RemoteInfoAction;
import org.elasticsearch.action.admin.cluster.repositories.get.GetRepositoriesAction;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesAction;
import org.elasticsearch.action.admin.indices.delete.DeleteIndexAction;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingAction;
import org.elasticsearch.action.admin.indices.rollover.RolloverAction;
import org.elasticsearch.action.admin.indices.settings.put.UpdateSettingsAction;
Expand Down Expand Up @@ -697,6 +698,11 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) {
)
.privileges(UpdateSettingsAction.NAME, PutMappingAction.NAME, RolloverAction.NAME)
.build(),
// For ILM policy for APM & Endpoint packages that have delete action
RoleDescriptor.IndicesPrivileges.builder()
.indices(".logs-endpoint.diagnostic.collection-*", "traces-apm.sampled-*")
.privileges(DeleteIndexAction.NAME)
.build(),
// For src/dest indices of the Endpoint package that ships a transform
RoleDescriptor.IndicesPrivileges.builder()
.indices("metrics-endpoint.metadata*")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -551,7 +551,6 @@ public void testKibanaSystemRole() {
Arrays.asList(".logs-endpoint.diagnostic.collection-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((index) -> {
assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(mockIndexAbstraction(index)), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(mockIndexAbstraction(index)), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(GetIndexAction.NAME).test(mockIndexAbstraction(index)), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(mockIndexAbstraction(index)), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(mockIndexAbstraction(index)), is(false));
Expand All @@ -565,6 +564,8 @@ public void testKibanaSystemRole() {
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(mockIndexAbstraction(index)), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(PutMappingAction.NAME).test(mockIndexAbstraction(index)), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(mockIndexAbstraction(index)), is(true));
// Privileges needed for installing current ILM policy with delete action
assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(mockIndexAbstraction(index)), is(true));
});

Arrays.asList(
Expand Down Expand Up @@ -708,7 +709,6 @@ public void testKibanaSystemRole() {
assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(indexAbstraction), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(indexAbstraction), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateDataStreamAction.NAME).test(indexAbstraction), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(indexAbstraction), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(indexAbstraction), is(false));

Expand All @@ -717,6 +717,11 @@ public void testKibanaSystemRole() {
assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(indexAbstraction), is(isAlsoReadIndex));
assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(indexAbstraction), is(isAlsoReadIndex));
assertThat(kibanaRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(indexAbstraction), is(isAlsoReadIndex));

// Endpoint diagnostic and sampled traces data streams also have an ILM policy with a delete action, all others should not.
final boolean isAlsoIlmDeleteIndex = indexName.startsWith(".logs-endpoint.diagnostic.collection-")
|| indexName.startsWith("traces-apm.sampled-");
assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(isAlsoIlmDeleteIndex));
});

// 4. Transform for endpoint package
Expand Down Expand Up @@ -782,6 +787,31 @@ public void testKibanaSystemRole() {
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(false));
assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(false));
});

// Ensure privileges necessary for ILM policies in APM & Endpoint packages
Arrays.asList(
"metrics-apm.app-" + randomAlphaOfLengthBetween(3, 8),
"metrics-apm.internal-" + randomAlphaOfLengthBetween(3, 8),
"metrics-apm.profiling-" + randomAlphaOfLengthBetween(3, 8),
"logs-apm.error_logs-" + randomAlphaOfLengthBetween(3, 8),
"traces-apm-" + randomAlphaOfLengthBetween(3, 8)
).forEach(indexName -> {
logger.info("index name [{}]", indexName);
final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);

assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
});
Arrays.asList(
".logs-endpoint.diagnostic.collection-" + randomAlphaOfLengthBetween(3, 8),
"traces-apm.sampled-" + randomAlphaOfLengthBetween(3, 8)
).forEach(indexName -> {
logger.info("index name [{}]", indexName);
final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);

assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
});
}

public void testKibanaAdminRole() {
Expand Down

0 comments on commit 1f1063b

Please sign in to comment.