Use kibana_system user for writing to Fleet system indices in Endpoin…

…t isolation (#120597) (#120794) Co-authored-by: Josh Dover <[email protected]>
elastic · Dec 8, 2021 · 24b8608 · 24b8608
1 parent b200f78
commit 24b8608
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 17 deletions.
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.test.ts
@@ -224,10 +224,10 @@ describe('Host Isolation', () => {
           );
 
         if (indexExists) {
-          ctx.core.elasticsearch.client.asInternalUser.index = mockIndexResponse;
+          ctx.core.elasticsearch.client.asCurrentUser.index = mockIndexResponse;
         }
 
-        ctx.core.elasticsearch.client.asCurrentUser.index = mockIndexResponse;
+        ctx.core.elasticsearch.client.asInternalUser.index = mockIndexResponse;
         ctx.core.elasticsearch.client.asCurrentUser.search = mockSearchResponse;
 
         const withLicense = license ? license : Platinum;
@@ -283,7 +283,7 @@ describe('Host Isolation', () => {
         searchResponse: metadataResponse,
       });
       const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
       ).mock.calls[0][0].body;
       expect(actionDoc.agents).toContain(AgentID);
     });
@@ -294,7 +294,7 @@ describe('Host Isolation', () => {
         mockUser: testU,
       });
       const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
       ).mock.calls[0][0].body;
       expect(actionDoc.user_id).toEqual(testU.username);
     });
@@ -304,7 +304,7 @@ describe('Host Isolation', () => {
         body: { endpoint_ids: ['XYZ'], comment: CommentText },
       });
       const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
       ).mock.calls[0][0].body;
       expect(actionDoc.data.comment).toEqual(CommentText);
     });
@@ -313,7 +313,7 @@ describe('Host Isolation', () => {
         body: { endpoint_ids: ['XYZ'], comment: 'XYZ' },
       });
       const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
       ).mock.calls[0][0].body;
       const actionID = actionDoc.action_id;
       expect(mockResponse.ok).toBeCalled();
@@ -326,7 +326,7 @@ describe('Host Isolation', () => {
         body: { endpoint_ids: ['XYZ'] },
       });
       const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
       ).mock.calls[0][0].body;
       expect(actionDoc.timeout).toEqual(300);
     });
@@ -339,7 +339,7 @@ describe('Host Isolation', () => {
         searchResponse: doc,
       });
       const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
       ).mock.calls[0][0].body;
       expect(actionDoc.agents).toContain(AgentID);
     });
@@ -349,7 +349,7 @@ describe('Host Isolation', () => {
         body: { endpoint_ids: ['XYZ'] },
       });
       const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
       ).mock.calls[0][0].body;
       expect(actionDoc.data.command).toEqual('isolate');
     });
@@ -358,7 +358,7 @@ describe('Host Isolation', () => {
         body: { endpoint_ids: ['XYZ'] },
       });
       const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
       ).mock.calls[0][0].body;
       expect(actionDoc.data.command).toEqual('unisolate');
     });

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts b/x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
@@ -203,13 +203,9 @@ export const isolationRequestHandler = function (
     }
 
     try {
-      let esClient = context.core.elasticsearch.client.asCurrentUser;
-      if (doesLogsEndpointActionsDsExist) {
-        // create action request record as system user with user in .fleet-actions
-        esClient = context.core.elasticsearch.client.asInternalUser;
-      }
-      // write as the current user if the new indices do not exist
-      // <v7.16 requires the current user to be super user
+      const esClient = context.core.elasticsearch.client.asInternalUser;
+      // write as the internal user if the new indices do not exist
+      // 8.0+ requires internal user to write to system indices
       fleetActionIndexResult = await esClient.index<EndpointAction>({
         index: AGENT_ACTIONS_INDEX,
         body: {