Protect newly introduced system indices fully #74186
Conversation
This change updates the way we handle net new system indices, which are those that have been newly introduced and do not require any BWC guarantees around non-system access. These indices will not be included in wildcard expansions for user searches and operations. Direct access to these indices will also not be allowed for user searches. The first index of this type is the GeoIp index, which this change sets the new flag on. Closes elastic#72572
jaymode
added
>enhancement
:Core/Infra/Core
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
| @@ -414,6 +418,10 @@ public boolean isInternal() { | |||
| return allowedElasticProductOrigins; | |||
| } | |||
|
|
|||
| public boolean isNetNew() { | |||
There was a problem hiding this comment.
Here and elsewhere, I'd like to add javadoc that explains clearly what we mean by "net new". It wasn't an expression I was familiar with and I see some potential for confusion.
I'll be happy to add a commit with this javadoc.
There was a problem hiding this comment.
I put a note about adding javadoc on #74271 so that we can merge this PR as soon as possible.
Co-authored-by: William Brafford <[email protected]>
Index templates were a miss on this one. If you want to handle as a follow-up, that works for me |
|
@elasticmachine update branch |
This change updates the way we handle net new system indices, which are those that have been newly introduced and do not require any BWC guarantees around non-system access. These indices will not be included in wildcard expansions for user searches and operations. Direct access to these indices will also not be allowed for user searches. The first index of this type is the GeoIp index, which this change sets the new flag on. Closes #72572
|
backport commit: 642e059 |
|
We need to be able to apply custom mappings to the siem signals indexes. This change broke the security event aggregation code in our SOAR when the siem signals indexes were changed to system indexes. |
|
@mbudge The siem signals index ( I'd like to start the investigation at http://discuss.elastic.co . If we verify a bug, then we can open a new issue in this github repository. Could you post in the elasticsearch category on the discuss forums? Please include the elasticsearch version where your code worked, as well as the elasticsearch version you are updating to, as well as any errors or stack traces you are finding. It would also help to know what security user and role you are using for your request. After that, comment here with a link to your discuss forum post and I will take a look. |
This change updates the way we handle net new system indices, which are
those that have been newly introduced and do not require any BWC
guarantees around non-system access. These indices will not be included
in wildcard expansions for user searches and operations. Direct access
to these indices will also not be allowed for user searches.
The first index of this type is the GeoIp index, which this change sets
the new flag on.
Closes #72572