[Fleet] Give permissions to indices with rolling dates #103319
Conversation
afgomez
added
v8.0.0
release_note:skip
|
Pinging @elastic/fleet (Feature:Fleet) |
|
Pinging @elastic/fleet (Team:Fleet) |
|
@ruflin What do you think about this? It feels a bit odd to me, but I don't think we have any flags today on the integration that can tell us whether we expect the final data streams to be time series or not. |
|
We want to get away from the @aleksmaus Why are the above indices / data streams created and not the data stream naming scheme is followed? This also has implications on the number of shards etc. |
|
@afgomez If we need a short term fix here, I rather have osquery as a special case instead of applying the |
@ruflin That was my initial idea as well, but when I checked with @aleksmaus we couldn't figure out if this happened with other integrations as well. If we know for sure this is the only one, then I can add a special case for it. |
|
Do you know if the above are indices or data streams? Everything MUST use data streams and the data stream naming scheme. But seems like osquerybeat does not so if other integrations do the same, we have a larger issue that we need to investigate quickly. |
Looking at https://epr.elastic.co/package/osquery_manager/0.2.3/ I'd say it's a data stream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: cc @afgomez |
|
Going to close this in favor of elastic/beats#26545. |
Summary
Some of the integrations add a suffix with the date to the indices they need to write in, like:
The new permissions code doesn't account for this. This PR adds a
*as a suffix to each entry in the agent policy permissions block to ensure indices with suffixes are possible.