Skip to content

Add indices permissions to Enterprise Search service account #85726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Apr 11, 2022
Merged

Add indices permissions to Enterprise Search service account #85726

merged 11 commits into from
Apr 11, 2022

Conversation

@carlosdelest
Copy link
Member

@carlosdelest carlosdelest commented Apr 6, 2022

Enterprise Search can create a new Engine type that uses already existing Elasticsearch indices.

Elasticsearch indices starting with search-* (or with a search-* alias) can be used as the backend for these new Engine types. The suffix has been chosen so users need to create an alias or rename their indices to be available to Enterprise Search; this way, we avoid Enterprise Search to have full read ability over all indices.

For this to happen, permissions must be added to the Enterprise Search service account so it can read search-* indices.

Fixes: https://github.com/elastic/enterprise-search-team/issues/1773
Related: https://github.com/elastic/cloud-assets/pull/1004, https://github.com/elastic/cloud/pull/100471

@carlosdelest carlosdelest added >enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team labels Apr 6, 2022
@carlosdelest carlosdelest requested review from ioanatia and jgr April 6, 2022 13:43
@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 6, 2022

Pinging @elastic/es-security (Team:Security)

@carlosdelest carlosdelest changed the title Add indices permissions enterprise search service account Add indices permissions to Enterprise Search service account Apr 6, 2022
@elasticsearchmachine elasticsearchmachine added v8.3.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Apr 6, 2022
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Apr 6, 2022

Hi @carlosdelest, I've created a changelog YAML for you.

carlosdelest and others added 4 commits April 6, 2022 15:44
@carlosdelest
Update docs/changelog/85726.yaml
30b4e7d
@carlosdelest
Lint fix
aadc0a4
@carlosdelest
Merge remote-tracking branch 'carlosdelest/add-indices-permissions-en…
4602565 
…terprise-search-service-account' into add-indices-permissions-enterprise-search-service-account
@carlosdelest
Trigger CI
14c1e38
@carlosdelest carlosdelest added v8.2.0 auto-backport Automatically create backport pull requests when merged labels Apr 6, 2022
ywangd
ywangd approved these changes Apr 11, 2022
View reviewed changes
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@carlosdelest carlosdelest merged commit 989a7d6 into elastic:master Apr 11, 2022
carlosdelest added a commit to carlosdelest/elasticsearch that referenced this pull request Apr 11, 2022
@carlosdelest
Add indices permissions to Enterprise Search service account (elastic…
b648402 
…#85726)
@carlosdelest carlosdelest mentioned this pull request Apr 11, 2022
Merged
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Apr 11, 2022

💚 Backport successful

Status Branch Result
8.2

carlosdelest added a commit that referenced this pull request Apr 11, 2022
@carlosdelest
Add indices permissions to Enterprise Search service account (#85726) (
50f873a 
…#85770)
@wangch079 wangch079 mentioned this pull request Jul 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ywangd ywangd ywangd approved these changes

@ioanatia ioanatia ioanatia approved these changes

@jgr jgr Awaiting requested review from jgr

Assignees

No one assigned

Labels

auto-backport Automatically create backport pull requests when merged >enhancement external-contributor Pull request authored by a developer outside the Elasticsearch team :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.2.0 v8.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@carlosdelest @elasticmachine @elasticsearchmachine @ywangd @ioanatia