From a786add627419b3820e4f8de9c14198dc93c724e Mon Sep 17 00:00:00 2001 From: Josh Dover <1813008+joshdover@users.noreply.github.com> Date: Wed, 3 Nov 2021 01:11:20 +0100 Subject: [PATCH] Allow kibana_system to upgrade endpoint hidden indices (#80140) (#80235) Following hidden indices that are included in the Endpoint package cannot be upgraded by kibana_system without these privileges: .logs-endpoint.action.responses-* .logs-endpoint.diagnostic.collection-* .logs-endpoint.actions-* Fixes elastic/kibana#116396 --- .../authz/store/ReservedRolesStore.java | 12 +++++++++-- .../authz/store/ReservedRolesStoreTests.java | 21 ++++++++++++++----- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index ff89b1bb49e6e..f2053f0917631 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -684,9 +684,17 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { RoleDescriptor.IndicesPrivileges.builder().indices("metrics-endpoint.policy-*").privileges("read").build(), // Endpoint metrics. Kibana requires read access to send telemetry RoleDescriptor.IndicesPrivileges.builder().indices("metrics-endpoint.metrics-*").privileges("read").build(), - // Fleet package upgrade + // Fleet package install and upgrade RoleDescriptor.IndicesPrivileges.builder() - .indices("logs-*", "synthetics-*", "traces-*", "/metrics-.*&~(metrics-endpoint\\.metadata_current_default)/") + .indices( + "logs-*", + "synthetics-*", + "traces-*", + "/metrics-.*&~(metrics-endpoint\\.metadata_current_default)/", + ".logs-endpoint.action.responses-*", + ".logs-endpoint.diagnostic.collection-*", + ".logs-endpoint.actions-*" + ) .privileges(UpdateSettingsAction.NAME, PutMappingAction.NAME, RolloverAction.NAME) .build(), // For src/dest indices of the Endpoint package that ships a transform diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 769f3939a9cf8..dbae5dd7aaa4b 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -556,11 +556,15 @@ public void testKibanaSystemRole() { assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(mockIndexAbstraction(index)), is(false)); assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(mockIndexAbstraction(index)), is(false)); assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(mockIndexAbstraction(index)), is(false)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(mockIndexAbstraction(index)), is(false)); assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(mockIndexAbstraction(index)), is(true)); assertThat(kibanaRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(mockIndexAbstraction(index)), is(true)); assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(mockIndexAbstraction(index)), is(true)); assertThat(kibanaRole.indices().allowedIndicesMatcher(READ_CROSS_CLUSTER_NAME).test(mockIndexAbstraction(index)), is(false)); + + // Privileges needed for Fleet package upgrades + assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(mockIndexAbstraction(index)), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(PutMappingAction.NAME).test(mockIndexAbstraction(index)), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(mockIndexAbstraction(index)), is(true)); }); Arrays.asList( @@ -682,7 +686,11 @@ public void testKibanaSystemRole() { "logs-" + randomAlphaOfLengthBetween(3, 8), "metrics-" + randomAlphaOfLengthBetween(3, 8), "synthetics-" + randomAlphaOfLengthBetween(3, 8), - "traces-" + randomAlphaOfLengthBetween(3, 8) + "traces-" + randomAlphaOfLengthBetween(3, 8), + // Hidden data indices for endpoint package + ".logs-endpoint.action.responses-" + randomAlphaOfLengthBetween(3, 8), + ".logs-endpoint.diagnostic.collection-" + randomAlphaOfLengthBetween(3, 8), + ".logs-endpoint.actions-" + randomAlphaOfLengthBetween(3, 8) ).forEach(indexName -> { logger.info("index name [{}]", indexName); final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); @@ -703,9 +711,12 @@ public void testKibanaSystemRole() { assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(false)); assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(indexAbstraction), is(false)); assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(indexAbstraction), is(false)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(indexAbstraction), is(false)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(indexAbstraction), is(false)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(indexAbstraction), is(false)); + + // Endpoint diagnostic data stream also has read access, all others should not. + final boolean isAlsoReadIndex = indexName.startsWith(".logs-endpoint.diagnostic.collection-"); + assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(indexAbstraction), is(isAlsoReadIndex)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(indexAbstraction), is(isAlsoReadIndex)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(indexAbstraction), is(isAlsoReadIndex)); }); // 4. Transform for endpoint package