Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fleet-server does not correctly update API keys on policy output permissions change #1672

Closed
AndersonQ opened this issue Jul 18, 2022 · 2 comments · Fixed by #1684
Closed

Fleet-server does not correctly update API keys on policy output permissions change #1672

AndersonQ opened this issue Jul 18, 2022 · 2 comments · Fixed by #1684
Assignees
@AndersonQ
Labels
v8.5.0

Comments

@AndersonQ
Copy link
Member

AndersonQ commented Jul 18, 2022
edited
Loading

  • Version: 8.3.2, the commit causing this problem was merged on 04/04/2022 and backported to v8.2.0 and v8.3.0
  • Operating System: all
  • Steps to Reproduce: see below

Fleet-server will change the API key for an input when ever the output permissions change. However given a policy with 2 or more outputs, if only a sub set of the policies has a permission change, there is the chance that the new API key will be set to its correct input as well as to other inputs that did not have a permission change and therefore did not get a new API key.
It can cause a "invalid API key" error as a input might try to interact with indexes it does not have permission to do so.

See more details here.
@joshdover
Copy link
Contributor

@AndersonQ where did we land on the approach for fixing this problem? Will we be adding a new fields to .fleet-agents to track the API keys for each output?

@AndersonQ AndersonQ mentioned this issue Jul 25, 2022
Closed
@AndersonQ
Copy link
Member Author

hi @joshdover. Yes, we'll add new fields, keep the old ones for backward compatibility and fleet-server will do a "migration" of the data from the old, now deprecated fields, to the new ones. I started the work on it. You can already check the new model here, have a look at internal/pkg/model/schema.go and model/schema.json.

@AndersonQ AndersonQ mentioned this issue Jul 28, 2022
Merged
25 tasks
@AndersonQ AndersonQ self-assigned this Jul 28, 2022
@AndersonQ AndersonQ mentioned this issue Aug 11, 2022
Merged
AndersonQ added a commit to elastic/elasticsearch that referenced this issue Sep 7, 2022
@AndersonQ
update .fleet-agents mapping (#89270)
3337493 
Update the .fleet-agents mapping to add the new outputs field. See elastic/fleet-server#1672 for details.
@AndersonQ AndersonQ mentioned this issue Sep 8, 2022
Merged
1 task
@cmacknz cmacknz added the v8.5.0 label Sep 27, 2022
@michel-laterman michel-laterman mentioned this issue Mar 26, 2024
Closed
2lambda123 pushed a commit to 2lambda123/elastic-elasticsearch that referenced this issue May 3, 2024
@AndersonQ
update .fleet-agents mapping
bf85bf0 
Update the .fleet-agents mapping to add the new outputs field. See elastic/fleet-server#1672 for details.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AndersonQ AndersonQ

Labels
v8.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow multiple ES outputs as long as they are the same ES AndersonQ/fleet-server
3 participants
@AndersonQ @joshdover @cmacknz