-
Notifications
You must be signed in to change notification settings - Fork 25k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for (builtin) templated roles #38676
Comments
Pinging @elastic/es-security |
As I was writing this up, it occurred to me that an alternative would be for this to be a UI convenience only, which would live in Kibana. That would mean we wouldn't offer a solution that's available through the ES API, but that might be OK. |
APM could benefit from this too, as they are in a similar position: We are providing an APM reserved role with privileges against the |
We will also need |
This is really great because this info currently lives in docs, where updating / testing these roles isn't ideal. If we do add these roles it will be great if we can have QA tests that can validate that they actually work for a given product. Adding ILM, for instance, made the docs for beat responsibilities go out of date. CC @LeeDr |
@andrewvc Yes, very important. I reported the ILM issue back on Dec 10th in Beats channel. But this templated roles is a new concept that certainly has some merit. Maybe the issue is that we don't let users modify the built-in roles. Maybe if they could make a copy of a role and modify it. That way we know they always have the built-in one with a fixed set of privs. |
@LeeDr ++ to any built-in roles being immutable and parameterize-able somehow. |
Suppose we have integration tests for a built-in role, using some default index pattern. If the user wishes to use a different index pattern, instead of documenting the permissions required for the new role that they should be creating, could we better document the workflow: For this to work smoothly we would probably need to implement ways to get users and role mappings by the role name. |
For a number of stack applications securiy administrators need to setup roles with a standard set of privileges over a customisable index pattern:
For example:
https://www.elastic.co/guide/en/beats/heartbeat/6.6/beats-basic-auth.html
Ideally we would ship that as a reserved role, but because the index pattern is not fixed (our ingest tools have customisible output indices) we can't do that.
It would be helpful to be able to ship some sort of builtin template that could be used to create a concrete role over the required indices.
The text was updated successfully, but these errors were encountered: