From eef0154d9f460b8d9d8ffcf0fe1dc4c426251feb Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Mon, 15 Jun 2020 15:41:22 +0300 Subject: [PATCH] Add ILM policy PUT and GET for remote_monitoring_agent built-in role (#57963) Without this fix, users who try to use Metricbeat for Stack Monitoring today see the following error repeatedly in their Metricbeat log. Due to this error Metricbeat is unwilling to proceed further and, thus, no Stack Monitoring data is indexed into the Elasticsearch cluster. Co-authored-by: Shaunak Kashyap --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 3 ++- .../core/security/authz/store/ReservedRolesStoreTests.java | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index da45dd96dea73..2e600d9bdb61e 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -70,9 +70,10 @@ private static Map initializeReservedRoles() { .put("remote_monitoring_agent", new RoleDescriptor("remote_monitoring_agent", new String[] { "manage_index_templates", "manage_ingest_pipelines", "monitor", + GetLifecycleAction.NAME, PutLifecycleAction.NAME, "cluster:monitor/xpack/watcher/watch/get", "cluster:admin/xpack/watcher/watch/put", - "cluster:admin/xpack/watcher/watch/delete", + "cluster:admin/xpack/watcher/watch/delete" }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder().indices(".monitoring-*").privileges("all").build(), diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 6dc54f90ab041..2b45206845519 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -609,6 +609,9 @@ public void testRemoteMonitoringAgentRole() { assertThat(remoteMonitoringAgentRole.cluster().check(ActivateWatchAction.NAME, request, authentication), is(false)); assertThat(remoteMonitoringAgentRole.cluster().check(WatcherServiceAction.NAME, request, authentication), is(false)); assertThat(remoteMonitoringAgentRole.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false)); + // ILM + assertThat(remoteMonitoringAgentRole.cluster().check(GetLifecycleAction.NAME, request, authentication), is(true)); + assertThat(remoteMonitoringAgentRole.cluster().check(PutLifecycleAction.NAME, request, authentication), is(true)); // we get this from the cluster:monitor privilege assertThat(remoteMonitoringAgentRole.cluster().check(WatcherStatsAction.NAME, request, authentication), is(true));