Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove auto_configure privilege for profiling #101026

Merged
merged 3 commits into from
Oct 23, 2023
Merged

Remove auto_configure privilege for profiling #101026

merged 3 commits into from
Oct 23, 2023
+9 −6

Conversation

danielmitterdorfer
Copy link
Member

With this commit we remove the auto_configure privilege for the Fleet service account that targets profiling-related indices. This privilege was needed to automatically create indices and data streams in the past but as this managed by the Elasticsearch plugin, there is no need to grant this privilege to Fleet-managed components.

@danielmitterdorfer
Remove auto_configure privilege for profiling
bbf19d7 
With this commit we remove the `auto_configure` privilege for the Fleet
service account that targets profiling-related indices. This privilege
was needed to automatically create indices and data streams in the past
but as this managed by the Elasticsearch plugin, there is no need to
grant this privilege to Fleet-managed components.
@danielmitterdorfer danielmitterdorfer added >enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC cloud-deploy Publish cloud docker image for Cloud-First-Testing Team:Universal Profiling v8.12.0 labels Oct 18, 2023
@github-actions
Copy link
Contributor

Documentation preview:

@elasticsearchmachine elasticsearchmachine added Team:Security Meta label for security team and removed Team:Universal Profiling labels Oct 18, 2023
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine
Copy link
Collaborator

Hi @danielmitterdorfer, I've created a changelog YAML for you.

@danielmitterdorfer
Copy link
Member Author

@elasticsearchmachine run elasticsearch-ci/bwc

@danielmitterdorfer
Copy link
Member Author

This is a known test failure, see #100502 which should be addressed by #101006. We will wait triggering further CI builds until that PR is merged but the test failure is clearly unrelated to this PR.

@danielmitterdorfer
Copy link
Member Author

@elasticmachine merge upstream

@albertzaharovits albertzaharovits self-requested a review October 23, 2023 10:37
albertzaharovits
albertzaharovits approved these changes Oct 23, 2023
View reviewed changes
Copy link
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Thanks for retracting the privilege!
Have you thought about mixed versions scenarios, where an old component (fleet server maybe) might try to create the index the old way (not using the plugin) using the new credential from this PR?

@danielmitterdorfer
Copy link
Member Author

Have you thought about mixed versions scenarios, where an old component (fleet server maybe) might try to create the index the old way (not using the plugin) using the new credential from this PR?

Thanks for the feedback. We have changed the behavior with #96268, which is available since 8.9.0 and went GA in 8.10.0. Upgrades from the beta phase to a GA version are not supported (unless users delete all data and start from scratch) so that scenario should not affect us.

@danielmitterdorfer danielmitterdorfer merged commit a579504 into elastic:main Oct 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@albertzaharovits albertzaharovits albertzaharovits approved these changes

Assignees
No one assigned
Labels
cloud-deploy Publish cloud docker image for Cloud-First-Testing >enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.12.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@danielmitterdorfer @elasticsearchmachine @albertzaharovits @elasticmachine