-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add delete privilege to kibana_system for APM and Endpoint ILM policies #81811
Conversation
Pinging @elastic/es-security (Team:Security) |
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true)); | ||
assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are already granted by the overall wider privileges for metrics-*
and traces-*
, but I added an explicit test to ensure we meet the ILM requirements
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM and please address my comments before merging.
v7.17.0
is not in the PR's labels. But I assume you would want it as well. The 7.17 branch is already cut. So the backport must be a separate one from 7.16.
Also, I agree with your analysis on the Kibana issue. This approach is too much overhead for taking in new packages. It definitely won't scale for 3rd party ones. I am ok with the short term solution. But we ought to work on the long term solution before there are too many packages.
...core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
Outdated
Show resolved
Hide resolved
...src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
Outdated
Show resolved
Hide resolved
...src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
Outdated
Show resolved
Hide resolved
...src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
Outdated
Show resolved
Hide resolved
…es (#81811) (#81873) Co-authored-by: Elastic Machine <[email protected]>
Fixes elastic/kibana#121244
Adds the necessary delete index privilege required to execute the ILM policies for a subset of APM and Endpoint data streams. Examples of the ILM policies that we need to support: