From bfbdc1923e96b0bec53fbf86225f49b082c56c92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B8ren=20Louv-Jansen?= Date: Tue, 6 Dec 2022 14:44:52 +0100 Subject: [PATCH 1/4] Update `kibana_system` privileges with access o `.apm-source-map` --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index e77d29e4e10bc..c15f2cbd4090e 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -706,6 +706,12 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { .privileges("all") .allowRestrictedIndices(true) .build(), + // APM source map index creation - system index defined in KibanaPlugin + RoleDescriptor.IndicesPrivileges.builder() + .indices(".apm-source-map") + .privileges("all") + .allowRestrictedIndices(true) + .build(), // APM telemetry queries APM indices in kibana task runner RoleDescriptor.IndicesPrivileges.builder().indices("apm-*").privileges("read", "read_cross_cluster").build(), RoleDescriptor.IndicesPrivileges.builder().indices("logs-apm.*").privileges("read", "read_cross_cluster").build(), From 3601c43ee6006e4a158770044fd4530fbfe57b7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B8ren=20Louv-Jansen?= Date: Tue, 6 Dec 2022 15:07:45 +0100 Subject: [PATCH 2/4] Update ReservedRolesStore.java --- .../authz/store/ReservedRolesStore.java | 23 +++++++------------ 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index c15f2cbd4090e..d0d08ed7cdf1c 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -694,30 +694,23 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { .indices(".ml-annotations*", ".ml-notifications*") .privileges("read", "write") .build(), + // APM agent configuration - system index defined in KibanaPlugin - RoleDescriptor.IndicesPrivileges.builder() - .indices(".apm-agent-configuration") - .privileges("all") - .allowRestrictedIndices(true) - .build(), + RoleDescriptor.IndicesPrivileges.builder().indices(".apm-agent-configuration").privileges("all").allowRestrictedIndices(true).build(), + // APM custom link index creation - system index defined in KibanaPlugin - RoleDescriptor.IndicesPrivileges.builder() - .indices(".apm-custom-link") - .privileges("all") - .allowRestrictedIndices(true) - .build(), + RoleDescriptor.IndicesPrivileges.builder().indices(".apm-custom-link").privileges("all").allowRestrictedIndices(true).build(), + // APM source map index creation - system index defined in KibanaPlugin - RoleDescriptor.IndicesPrivileges.builder() - .indices(".apm-source-map") - .privileges("all") - .allowRestrictedIndices(true) - .build(), + RoleDescriptor.IndicesPrivileges.builder().indices(".apm-source-map").privileges("all").allowRestrictedIndices(true).build(), + // APM telemetry queries APM indices in kibana task runner RoleDescriptor.IndicesPrivileges.builder().indices("apm-*").privileges("read", "read_cross_cluster").build(), RoleDescriptor.IndicesPrivileges.builder().indices("logs-apm.*").privileges("read", "read_cross_cluster").build(), RoleDescriptor.IndicesPrivileges.builder().indices("metrics-apm.*").privileges("read", "read_cross_cluster").build(), RoleDescriptor.IndicesPrivileges.builder().indices("traces-apm.*").privileges("read", "read_cross_cluster").build(), RoleDescriptor.IndicesPrivileges.builder().indices("traces-apm-*").privileges("read", "read_cross_cluster").build(), + // Data telemetry reads mappings, metadata and stats of indices RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("view_index_metadata", "monitor").build(), // Endpoint diagnostic information. Kibana reads from these indices to send telemetry From 3433f5905c9143a9bed72d28d2ee7b41987f0622 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B8ren=20Louv-Jansen?= Date: Wed, 7 Dec 2022 08:59:38 +0100 Subject: [PATCH 3/4] Add test --- .../xpack/core/security/authz/store/ReservedRolesStoreTests.java | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index de368f5b72168..71554880cd8ca 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -565,6 +565,7 @@ public void testKibanaSystemRole() { ".reporting-" + randomAlphaOfLength(randomIntBetween(0, 13)), ".apm-agent-configuration", ".apm-custom-link", + ".apm-source-map", ReservedRolesStore.ALERTS_LEGACY_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)), From 42ef102544fdff8b4fc31fdc8d5a38606b5ea851 Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Thu, 8 Dec 2022 16:25:02 +1100 Subject: [PATCH 4/4] Reformat source (spotlessApply) --- .../authz/store/ReservedRolesStore.java | 30 +++++++++++++------ 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index d0d08ed7cdf1c..d8889003f3661 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -694,23 +694,35 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { .indices(".ml-annotations*", ".ml-notifications*") .privileges("read", "write") .build(), - + // APM agent configuration - system index defined in KibanaPlugin - RoleDescriptor.IndicesPrivileges.builder().indices(".apm-agent-configuration").privileges("all").allowRestrictedIndices(true).build(), - + RoleDescriptor.IndicesPrivileges.builder() + .indices(".apm-agent-configuration") + .privileges("all") + .allowRestrictedIndices(true) + .build(), + // APM custom link index creation - system index defined in KibanaPlugin - RoleDescriptor.IndicesPrivileges.builder().indices(".apm-custom-link").privileges("all").allowRestrictedIndices(true).build(), - - // APM source map index creation - system index defined in KibanaPlugin - RoleDescriptor.IndicesPrivileges.builder().indices(".apm-source-map").privileges("all").allowRestrictedIndices(true).build(), - + RoleDescriptor.IndicesPrivileges.builder() + .indices(".apm-custom-link") + .privileges("all") + .allowRestrictedIndices(true) + .build(), + + // APM source map index creation - system index defined in KibanaPlugin + RoleDescriptor.IndicesPrivileges.builder() + .indices(".apm-source-map") + .privileges("all") + .allowRestrictedIndices(true) + .build(), + // APM telemetry queries APM indices in kibana task runner RoleDescriptor.IndicesPrivileges.builder().indices("apm-*").privileges("read", "read_cross_cluster").build(), RoleDescriptor.IndicesPrivileges.builder().indices("logs-apm.*").privileges("read", "read_cross_cluster").build(), RoleDescriptor.IndicesPrivileges.builder().indices("metrics-apm.*").privileges("read", "read_cross_cluster").build(), RoleDescriptor.IndicesPrivileges.builder().indices("traces-apm.*").privileges("read", "read_cross_cluster").build(), RoleDescriptor.IndicesPrivileges.builder().indices("traces-apm-*").privileges("read", "read_cross_cluster").build(), - + // Data telemetry reads mappings, metadata and stats of indices RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("view_index_metadata", "monitor").build(), // Endpoint diagnostic information. Kibana reads from these indices to send telemetry