Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add delete privilege to kibana_system for APM and Endpoint ILM policies #81811

Merged
merged 3 commits into from
Dec 17, 2021

Conversation

joshdover
Copy link
Contributor

Fixes elastic/kibana#121244

Adds the necessary delete index privilege required to execute the ILM policies for a subset of APM and Endpoint data streams. Examples of the ILM policies that we need to support:

@joshdover joshdover requested a review from ywangd December 16, 2021 11:57
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Dec 16, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

Comment on lines 796 to 797
assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are already granted by the overall wider privileges for metrics-* and traces-*, but I added an explicit test to ensure we meet the ILM requirements

@joshdover joshdover requested a review from a team December 16, 2021 12:25
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM and please address my comments before merging.

v7.17.0 is not in the PR's labels. But I assume you would want it as well. The 7.17 branch is already cut. So the backport must be a separate one from 7.16.

Also, I agree with your analysis on the Kibana issue. This approach is too much overhead for taking in new packages. It definitely won't scale for 3rd party ones. I am ok with the short term solution. But we ought to work on the long term solution before there are too many packages.

@elasticsearchmachine
Copy link
Collaborator

💚 Backport successful

Status Branch Result
8.0
7.16
7.17

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>bug external-contributor Pull request authored by a developer outside the Elasticsearch team :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v7.16.2 v7.17.0 v8.0.0-rc1 v8.1.0
Projects
None yet
6 participants