From d74db5c1bb2eabc02876c2a02152b659248a7406 Mon Sep 17 00:00:00 2001 From: Mike Place Date: Mon, 30 Sep 2019 15:49:34 +0200 Subject: [PATCH 1/2] Grant monitoring index privs to apm_system user --- .../core/security/authz/store/ReservedRolesStore.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index fcd0c24606e49..3a24f9684f7a6 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -146,7 +146,12 @@ private static Map initializeReservedRoles() { }, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) .put(UsernamesField.APM_ROLE, new RoleDescriptor(UsernamesField.APM_ROLE, - new String[] { "monitor", MonitoringBulkAction.NAME}, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) + new String[] { "monitor", MonitoringBulkAction.NAME}, + new RoleDescriptor.IndicesPrivileges[]{ + RoleDescriptor.IndicesPrivileges.builder() + .indices(".monitoring-beats-*").privileges("create_index", "create").build() + }, + null, MetadataUtils.DEFAULT_RESERVED_METADATA)) .put("apm_user", new RoleDescriptor("apm_user", null, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder().indices("apm-*") From 1d4690924658a3ba90ff230406087e654ee99987 Mon Sep 17 00:00:00 2001 From: Mike Place Date: Mon, 30 Sep 2019 17:14:59 +0200 Subject: [PATCH 2/2] Add test for APM beats index perms --- .../security/authz/store/ReservedRolesStoreTests.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 9c23def4283c2..9eda3463de4d4 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -888,7 +888,7 @@ public void testBeatsSystemRole() { final String index = ".monitoring-beats-" + randomIntBetween(0, 5);; - logger.info("index name [{}]", index); + logger.info("beats monitoring index name [{}]", index); assertThat(beatsSystemRole.indices().allowedIndicesMatcher(IndexAction.NAME).test("foo"), is(false)); assertThat(beatsSystemRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".reporting"), is(false)); assertThat(beatsSystemRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)), @@ -926,6 +926,14 @@ public void testAPMSystemRole() { assertThat(APMSystemRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)), is(false)); + final String index = ".monitoring-beats-" + randomIntBetween(10, 15);; + logger.info("APM beats monitoring index name [{}]", index); + + assertThat(APMSystemRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true)); + assertThat(APMSystemRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true)); + assertThat(APMSystemRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(false)); + assertThat(APMSystemRole.indices().allowedIndicesMatcher(BulkAction.NAME).test(index), is(true)); + assertNoAccessAllowed(APMSystemRole, RestrictedIndicesNames.RESTRICTED_NAMES); }