From 6d6284b7e1dc96a700c09be71d2b9d1a0bd9d024 Mon Sep 17 00:00:00 2001 From: Julia Bardi <90178898+juliaElastic@users.noreply.github.com> Date: Fri, 18 Nov 2022 14:26:39 +0100 Subject: [PATCH 1/5] Added logs-elastic_agent* read privileges to kibana_system --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index e4f8b72e55efb..a7a9223855050 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -719,6 +719,8 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { // Fleet Server indices. Kibana create this indice before Fleet Server use them. // Fleet Server indices. Kibana read and write to this indice to manage Elastic Agents RoleDescriptor.IndicesPrivileges.builder().indices(".fleet*").allowRestrictedIndices(true).privileges("all").build(), + // Fleet telemetry queries Agent Logs indices in kibana task runner + RoleDescriptor.IndicesPrivileges.builder().indices("logs-elastic_agent*").privileges("read", "read_cross_cluster").build(), // Legacy "Alerts as data" used in Security Solution. // Kibana user creates these indices; reads / writes to them. RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTS_LEGACY_INDEX).privileges("all").build(), From 17b4354fb88be90cee666d20281504f0ad413b42 Mon Sep 17 00:00:00 2001 From: Julia Bardi <90178898+juliaElastic@users.noreply.github.com> Date: Fri, 18 Nov 2022 14:41:44 +0100 Subject: [PATCH 2/5] Update docs/changelog/91701.yaml --- docs/changelog/91701.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 docs/changelog/91701.yaml diff --git a/docs/changelog/91701.yaml b/docs/changelog/91701.yaml new file mode 100644 index 0000000000000..d2e1d04db019a --- /dev/null +++ b/docs/changelog/91701.yaml @@ -0,0 +1,5 @@ +pr: 91701 +summary: "[Fleet] Added logs-elastic_agent* read privileges to `kibana_system`" +area: Authorization +type: enhancement +issues: [] From eb60e36b1e86d982b155ccfd30b702afcee9872e Mon Sep 17 00:00:00 2001 From: Julia Bardi Date: Fri, 18 Nov 2022 14:46:54 +0100 Subject: [PATCH 3/5] added unit test --- .../authz/store/ReservedRolesStoreTests.java | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index bfef729e8262d..bafaaf14de043 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -730,6 +730,23 @@ public void testKibanaSystemRole() { ".fleet-servers" ).forEach(index -> assertAllIndicesAccessAllowed(kibanaRole, index)); + // read-only indices for Fleet telemetry + Arrays.asList( + "logs-elastic_agent-default", + "logs-elastic_agent.fleet_server-default" + ).forEach((index) -> { + assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(false)); + assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(mockIndexAbstraction(index)), is(false)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(GetIndexAction.NAME).test(mockIndexAbstraction(index)), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(mockIndexAbstraction(index)), is(false)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(mockIndexAbstraction(index)), is(false)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(mockIndexAbstraction(index)), is(false)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(mockIndexAbstraction(index)), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(mockIndexAbstraction(index)), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(mockIndexAbstraction(index)), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(READ_CROSS_CLUSTER_NAME).test(mockIndexAbstraction(index)), is(true)); + }); + // read-only index for Endpoint and Osquery manager specific action responses Arrays.asList(".logs-endpoint.action.responses-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((index) -> { final IndexAbstraction indexAbstraction = mockIndexAbstraction(index); From 2212ba0560870cf190316def6bb396ced22769ed Mon Sep 17 00:00:00 2001 From: Julia Bardi Date: Fri, 18 Nov 2022 15:20:08 +0100 Subject: [PATCH 4/5] Fixed formatting --- .../core/security/authz/store/ReservedRolesStoreTests.java | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index bafaaf14de043..5b30a6b059d06 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -731,10 +731,7 @@ public void testKibanaSystemRole() { ).forEach(index -> assertAllIndicesAccessAllowed(kibanaRole, index)); // read-only indices for Fleet telemetry - Arrays.asList( - "logs-elastic_agent-default", - "logs-elastic_agent.fleet_server-default" - ).forEach((index) -> { + Arrays.asList("logs-elastic_agent-default", "logs-elastic_agent.fleet_server-default").forEach((index) -> { assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(false)); assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(mockIndexAbstraction(index)), is(false)); assertThat(kibanaRole.indices().allowedIndicesMatcher(GetIndexAction.NAME).test(mockIndexAbstraction(index)), is(true)); From 00ede49ef987185f93088677c35b12e853cf0acd Mon Sep 17 00:00:00 2001 From: Julia Bardi Date: Mon, 21 Nov 2022 09:26:50 +0100 Subject: [PATCH 5/5] removed read cross cluster role --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 2 +- .../core/security/authz/store/ReservedRolesStoreTests.java | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index f0dc62aa6bc66..8685f39bc1b30 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -720,7 +720,7 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { // Fleet Server indices. Kibana read and write to this indice to manage Elastic Agents RoleDescriptor.IndicesPrivileges.builder().indices(".fleet*").allowRestrictedIndices(true).privileges("all").build(), // Fleet telemetry queries Agent Logs indices in kibana task runner - RoleDescriptor.IndicesPrivileges.builder().indices("logs-elastic_agent*").privileges("read", "read_cross_cluster").build(), + RoleDescriptor.IndicesPrivileges.builder().indices("logs-elastic_agent*").privileges("read").build(), // Legacy "Alerts as data" used in Security Solution. // Kibana user creates these indices; reads / writes to them. RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTS_LEGACY_INDEX).privileges("all").build(), diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index b319cf869d979..28b5dd99b2e06 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -743,7 +743,6 @@ public void testKibanaSystemRole() { assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(mockIndexAbstraction(index)), is(true)); assertThat(kibanaRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(mockIndexAbstraction(index)), is(true)); assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(mockIndexAbstraction(index)), is(true)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(READ_CROSS_CLUSTER_NAME).test(mockIndexAbstraction(index)), is(true)); }); // read-only index for Endpoint and Osquery manager specific action responses