-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Add permission specs to policy #94058
Comments
Pinging @elastic/fleet (Team:Fleet) |
@ruflin I've assigned @afgomez to this issue, just to clarify.
Do you mean current permission for " |
Yes |
I wrote a little something to help me clarify my thoughts. Let me know if I'm missing something We want Fleet server to generate API keys for the agents based on whatever permissions they need. The current situationFleet server generates an API key with coarse permissions. All agents get the same permissions. What do we want?Policies should specify the permissions they need based on their integrations. For example, if a policy uses Elastic APM, it should have permissions to Fleet server will then read these permissions and use them when it generates the API key for the agent. Approach1. Move hardcoded permissions to the policy itself (#94591)The first step will be to hardcode the current coarse permissions when generating the policy. The permissions will be added on a new key called interface FullPolicy {
// ...
outputPermissions?: {
[key: string]: Array<{ names: string[]; privileges: string[]; }>
}
} Since there is an option to have several outputs, there should be an option to have several output permissions. We do it as a separate key to not fiddle with the current The fleet server will use the 2. Specify permissions in each integration.The integrations will then specify which privileges they need for which indices. The At this step, if an integration doesn't have a A possible sane default could be to automatically provide the |
Could you share an example in json or yaml of the permission block? This is to make sure fleet-server will know exactly what to implement. |
Sure! # ...
revision: 1
outputs:
default:
type: elasticsearch
hosts:
- 'http://localhost:9200'
outputPermissions:
default:
- names:
- logs-*
- metrics-*
- traces-*
- .logs-endpoint.diagnostic.collection-*
privileges:
- auto_configure
- create_doc
# ... |
Looking at https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html#security-api-create-api-key-example I wonder if we will ever need the |
For API keys you give a role descriptor there is no need to create any roles, I am wondering if we should have a structure that match more that concept so we can easily have different privileges for different index
|
Should have been more specific, I meant the description. What you put in is now almost the full ES part. Going further, I wonder if we should go so far and even add the top level part around |
Maybe it's not obvious because of the yaml syntax, but we can do that with the proposed structure. Each key inside outputPermissions:
default:
- names:
- logs-*
privileges:
- auto_configure
- create_doc
- names:
- metrics-*
privileges:
- create_doc
- read
- ... The type signature is as follows interface FullPolicy {
// ...
outputPermissions?: {
[key: string]: Array<{ names: string[]; privileges: string[]; }>
}
}
Is there a use case where different policies could benefit from different expiration times? Somehow I feel it's more of an implementation detail on the fleet side that something that should be in the policy. If we want to make sure to leave the door open we can change the type to something like this: interface FullPolicy {
// ...
outputPermissions?: {
[key: string]: {
indices: Array<{ names: string[]; privileges: string[]; }>
// add properties as needed in the future
}
}
} But even then, it is possible to leave the legacy version now, and if needed, express a new structure with types. interface PolicyPermission {
names: string[];
privileges: string[];
}
interface FullPolicy {
// ...
outputPermissions?: {
[key: string]: PolicyPermission[] | {
indices: PolicyPermission[]
}
}
} I personally prefer the very first option because YAGNI, but I'm open to the second. |
I would generate it in the Fleet server, something like Maybe I'm missing something but I feel in this case the role is more something that Elasticsearch needs more than data about the policy itself. I think it should be left out of the policy. |
@afgomez I agree we can leave out the expiration for now as we don't have a use case for it yet. I've been thinking a bit more about the roles. Each integration policy inside the policy will have its own permissions. A single integration policy can also have two permission entries as not all indices necessarily have the same permissions (see endpoint example below). Elasticsearch will require a roles descriptor as far as I can see so we need to put something in for the role. We could just generate a random key. But as we know the permissions come from a specific integration policy, woludn't it be nice for debugging purpose to exactly see which permissions are for which integration? This lead me to the following example. It would mean, the role descriptions would have to be created by Fleet.
|
Ok I see that point and I agree. As an intermediate step for #94591 I can add a role called |
++, |
@aleksmaus Can you take a quick look at the above if this would also work well for |
@aleksmaus ah, good point. I'm so used to the camelCase convention in JS that I didn't realise it's different here. I'll update the PR 👍 |
Small detail I missed in our previous schema discussions: The following is what is currently put into the policy:
This is what would be compatible with the ES API.
The difference is the index part. I understand we don't really need it but at the same time it means fleet-server needs to modify the content and add this entry to the yaml instead of just taking the full yaml block, add some top level fields and ship it to Elasticsearch. |
To reduce the permissions each Elastic Agent requires, the permission on each API Key that is handed out to the Elastic Agent must be reduced. In elastic/fleet-server#101 a proposal is discussed which requires that each policy contains a definition on what permissions are need to run this policy. Based on these, the fleet-server creates API keys.
As the policy is created in Kibana, this permissions block would have to be added to the policy by Fleet. The permissions should be created based on the integrations in a policy. To know which permissions are required, each package should contain a definition on what it requires. In addition, special flags could be set on a policy to allow dynamic fields or wildcards to increase permissions.
In a first phase, the implementation could be to just add our default permissions to each policy. With this, we put the foundation in place to further iterate on it and reduce the permissions over time. Also it means fleet-server can build in all the components and can stop worrying about the permissions as it becomes a Fleet issue.
The text was updated successfully, but these errors were encountered: