Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] Allow kibana to create Fleet Server indices #68152

Merged
merged 2 commits into from
Feb 5, 2021
Merged

[Fleet] Allow kibana to create Fleet Server indices #68152

merged 2 commits into from
Feb 5, 2021

Conversation

nchaulet
Copy link
Member

Context

Related to elastic/fleet-server#51

We recently added the permissions for the Kibana to read and read to .fleet-*

We decided that Kibana will also create these indexes so we need more permissions.

Description

Add all permission to .fleet* to the kibana system role to allow Kibana to create the indexes for Fleet server, the indexes will be managed in Kibana similarly to the .kibana index

@nchaulet nchaulet added :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v8.0.0 v7.12.0 labels Jan 28, 2021
@nchaulet nchaulet self-assigned this Jan 28, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jan 28, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@nchaulet nchaulet force-pushed the feature-fleet-indices-creation branch from 432b33d to 398fa18 Compare January 28, 2021 21:33
@ruflin
Copy link
Contributor

ruflin commented Jan 29, 2021

@nchaulet I'm a bit hesitant to just make it .fleet-* instead of specifying each one but I see how it simplifies the development and also allows us to create "subindices" for aliasing etc.

@nchaulet
Copy link
Member Author

@ruflin yes it makes things a lot easier, otherwise we will have to give permissions for each indices like this .fleet-agents* for each indices and to update this again if we need new indices.
If kibana manage these indices I think it's okay to have some permissive permissions.

@nchaulet
Copy link
Member Author

nchaulet commented Feb 2, 2021

@ruflin Are we okay with moving forward with these permissions for now?

@mark-vieira
Copy link
Contributor

@elasticmachine update branch

@nchaulet nchaulet merged commit 4e049a9 into elastic:master Feb 5, 2021
@nchaulet nchaulet deleted the feature-fleet-indices-creation branch February 5, 2021 03:33
@nchaulet nchaulet mentioned this pull request Feb 5, 2021
Merged
nchaulet added a commit that referenced this pull request Feb 5, 2021
@nchaulet
[Fleet] Allow kibana to create Fleet Server indices (#68152) (#68604)
fd7c1fb 
Add "all" permission to Fleet Server indices (.fleet*) to kibana_system role

We recently added the permissions for the Kibana to read and read to .fleet-* we decided that Kibana will also create these indexes so we need more permissions to do so.

Related to elastic/fleet-server#51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@albertzaharovits albertzaharovits albertzaharovits approved these changes

@kobelb kobelb kobelb approved these changes

@ruflin ruflin ruflin approved these changes

Assignees

@nchaulet nchaulet

Labels
>enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v7.12.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@nchaulet @elasticmachine @ruflin @mark-vieira @kobelb @albertzaharovits @jakelandis @williamrandolph