From a57dbfa181875d6e6ada97b813c37d979cf449e7 Mon Sep 17 00:00:00 2001 From: emilioalvap Date: Tue, 8 Nov 2022 11:06:47 +0100 Subject: [PATCH 1/3] [Synthetics] Add synthetics-* read to fleet-server --- .../rest-api/security/get-service-accounts.asciidoc | 13 ++++++++++++- .../security/authc/service/ServiceAccountIT.java | 13 ++++++++++++- .../authc/service/ElasticServiceAccounts.java | 7 ++++++- 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/x-pack/docs/en/rest-api/security/get-service-accounts.asciidoc b/x-pack/docs/en/rest-api/security/get-service-accounts.asciidoc index 7f1a7c9686e66..51f22dfab2321 100644 --- a/x-pack/docs/en/rest-api/security/get-service-accounts.asciidoc +++ b/x-pack/docs/en/rest-api/security/get-service-accounts.asciidoc @@ -73,7 +73,6 @@ GET /_security/service/elastic/fleet-server "logs-*", "metrics-*", "traces-*", - "synthetics-*", ".logs-endpoint.diagnostic.collection-*", ".logs-endpoint.action.responses-*" ], @@ -108,6 +107,18 @@ GET /_security/service/elastic/fleet-server "maintenance" ], "allow_restricted_indices": true + }, + { + "names": [ + "synthetics-*" + ], + "privileges": [ + "read", + "write", + "create_index", + "auto_configure" + ], + "allow_restricted_indices": false } ], "applications": [ diff --git a/x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java b/x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java index aabd75e34957c..1a06da6efb46e 100644 --- a/x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java +++ b/x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java @@ -90,7 +90,6 @@ public class ServiceAccountIT extends ESRestTestCase { "logs-*", "metrics-*", "traces-*", - "synthetics-*", ".logs-endpoint.diagnostic.collection-*", ".logs-endpoint.action.responses-*" ], @@ -125,6 +124,18 @@ public class ServiceAccountIT extends ESRestTestCase { "maintenance" ], "allow_restricted_indices": true + }, + { + "names": [ + "synthetics-*" + ], + "privileges": [ + "read", + "write", + "create_index", + "auto_configure" + ], + "allow_restricted_indices": false } ], "applications": [ { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java index e80baa92ce073..4086e83ce007f 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java @@ -68,7 +68,6 @@ final class ElasticServiceAccounts { "logs-*", "metrics-*", "traces-*", - "synthetics-*", ".logs-endpoint.diagnostic.collection-*", ".logs-endpoint.action.responses-*" ) @@ -88,6 +87,12 @@ final class ElasticServiceAccounts { // Fleet Server needs "maintenance" privilege to be able to perform operations with "refresh" .privileges("read", "write", "monitor", "create_index", "auto_configure", "maintenance") .allowRestrictedIndices(true) + .build(), + RoleDescriptor.IndicesPrivileges.builder() + .indices("synthetics-*") + // Fleet Server needs "read" privilege to be able to retrieve multi-agent docs + .privileges("read", "write", "create_index", "auto_configure") + .allowRestrictedIndices(false) .build() }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() From d494ae42819f2dd64243d993845db29ada740958 Mon Sep 17 00:00:00 2001 From: emilioalvap Date: Tue, 8 Nov 2022 16:02:28 +0100 Subject: [PATCH 2/3] Fix unit test --- .../service/ElasticServiceAccountsTests.java | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java index 27a8d383a4203..fb5dc9483c241 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java @@ -191,7 +191,6 @@ public void testElasticFleetServerPrivileges() { "logs-" + randomAlphaOfLengthBetween(1, 20), "metrics-" + randomAlphaOfLengthBetween(1, 20), "traces-" + randomAlphaOfLengthBetween(1, 20), - "synthetics-" + randomAlphaOfLengthBetween(1, 20), ".logs-endpoint.diagnostic.collection-" + randomAlphaOfLengthBetween(1, 20), ".logs-endpoint.action.responses-" + randomAlphaOfLengthBetween(1, 20) ).stream().map(this::mockIndexAbstraction).forEach(index -> { @@ -209,6 +208,23 @@ public void testElasticFleetServerPrivileges() { assertThat(role.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(false)); }); + List.of( + "synthetics-" + randomAlphaOfLengthBetween(1, 20) + ).stream().map(this::mockIndexAbstraction).forEach(index -> { + assertThat(role.indices().allowedIndicesMatcher(AutoPutMappingAction.NAME).test(index), is(true)); + assertThat(role.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(index), is(true)); + assertThat(role.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true)); + assertThat(role.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true)); + assertThat(role.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true)); + assertThat(role.indices().allowedIndicesMatcher(BulkAction.NAME).test(index), is(true)); + assertThat(role.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(false)); + assertThat(role.indices().allowedIndicesMatcher(GetAction.NAME).test(index), is(true)); + assertThat(role.indices().allowedIndicesMatcher(MultiGetAction.NAME).test(index), is(true)); + assertThat(role.indices().allowedIndicesMatcher(SearchAction.NAME).test(index), is(true)); + assertThat(role.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(index), is(true)); + assertThat(role.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(false)); + }); + List.of( ".fleet-" + randomAlphaOfLengthBetween(1, 20), ".fleet-action" + randomAlphaOfLengthBetween(1, 20), From 6ba8a5fdf2951f7ac6cf89100ec32b23f390d69b Mon Sep 17 00:00:00 2001 From: emilioalvap Date: Tue, 8 Nov 2022 16:19:33 +0100 Subject: [PATCH 3/3] Fix linting --- .../security/authc/service/ElasticServiceAccountsTests.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java index fb5dc9483c241..d8e2be574c377 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java @@ -208,9 +208,7 @@ public void testElasticFleetServerPrivileges() { assertThat(role.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(false)); }); - List.of( - "synthetics-" + randomAlphaOfLengthBetween(1, 20) - ).stream().map(this::mockIndexAbstraction).forEach(index -> { + List.of("synthetics-" + randomAlphaOfLengthBetween(1, 20)).stream().map(this::mockIndexAbstraction).forEach(index -> { assertThat(role.indices().allowedIndicesMatcher(AutoPutMappingAction.NAME).test(index), is(true)); assertThat(role.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(index), is(true)); assertThat(role.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true));