Skip to content

Commit 8998045

Browse files
sorenlouvsorenlouv
authored
Add read permissions for apm_user role to APM fleet indices (#68749)
1 parent 632d23d commit 8998045

File tree

2 files changed

+42
-8
lines changed

2 files changed

+42
-8
lines changed

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

Lines changed: 34 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -192,17 +192,44 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
192192
},
193193
null, MetadataUtils.DEFAULT_RESERVED_METADATA))
194194
.put("apm_user", new RoleDescriptor("apm_user",
195-
null, new RoleDescriptor.IndicesPrivileges[] {
195+
null,
196+
new RoleDescriptor.IndicesPrivileges[] {
197+
// Self managed APM Server
198+
// Can be removed in 8.0
196199
RoleDescriptor.IndicesPrivileges.builder().indices("apm-*")
197200
.privileges("read", "view_index_metadata").build(),
198-
RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*")
201+
202+
// APM Server under fleet (data streams)
203+
RoleDescriptor.IndicesPrivileges.builder().indices("logs-apm.*")
204+
.privileges("read", "view_index_metadata").build(),
205+
RoleDescriptor.IndicesPrivileges.builder().indices("metrics-apm.*")
206+
.privileges("read", "view_index_metadata").build(),
207+
RoleDescriptor.IndicesPrivileges.builder().indices("traces-apm.*")
208+
.privileges("read", "view_index_metadata").build(),
209+
210+
// Machine Learning indices. Only needed for legacy reasons
211+
// Can be removed in 8.0
212+
RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*")
199213
.privileges("read", "view_index_metadata").build(),
200-
RoleDescriptor.IndicesPrivileges.builder().indices("observability-annotations")
214+
215+
// Annotations
216+
RoleDescriptor.IndicesPrivileges.builder().indices("observability-annotations")
201217
.privileges("read", "view_index_metadata").build()
202-
}, new RoleDescriptor.ApplicationResourcePrivileges[] {
203-
RoleDescriptor.ApplicationResourcePrivileges.builder()
204-
.application("kibana-*").resources("*").privileges("reserved_ml_apm_user").build()
205-
}, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null))
218+
},
219+
new RoleDescriptor.ApplicationResourcePrivileges[] {
220+
RoleDescriptor
221+
.ApplicationResourcePrivileges
222+
.builder()
223+
.application("kibana-*")
224+
.resources("*")
225+
.privileges("reserved_ml_apm_user")
226+
.build()
227+
},
228+
null,
229+
null,
230+
MetadataUtils.getDeprecatedReservedMetadata("This role will be removed in 8.0"),
231+
null
232+
))
206233
.put("machine_learning_user", new RoleDescriptor("machine_learning_user", new String[] { "monitor_ml" },
207234
new RoleDescriptor.IndicesPrivileges[] {
208235
RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*", ".ml-notifications*")

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1256,7 +1256,14 @@ public void testAPMUserRole() {
12561256
assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 12)), is(false));
12571257

12581258
assertNoAccessAllowed(role, "foo");
1259-
1259+
assertNoAccessAllowed(role, "foo-apm");
1260+
assertNoAccessAllowed(role, "foo-logs-apm.bar");
1261+
assertNoAccessAllowed(role, "foo-traces-apm.bar");
1262+
assertNoAccessAllowed(role, "foo-metrics-apm.bar");
1263+
1264+
assertOnlyReadAllowed(role, "logs-apm." + randomIntBetween(0, 5));
1265+
assertOnlyReadAllowed(role, "traces-apm." + randomIntBetween(0, 5));
1266+
assertOnlyReadAllowed(role, "metrics-apm." + randomIntBetween(0, 5));
12601267
assertOnlyReadAllowed(role, "apm-" + randomIntBetween(0, 5));
12611268
assertOnlyReadAllowed(role, AnomalyDetectorsIndexFields.RESULTS_INDEX_PREFIX + AnomalyDetectorsIndexFields.RESULTS_INDEX_DEFAULT);
12621269

0 commit comments

Comments
 (0)