github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-06-28 17:34:17 -04:00
Code Issues Projects Releases Packages Wiki Activity

Granting kibana_system reserved role access to "all" privileges to .adhoc.alerts* and .internal.adhoc.alerts* indices (#127321)

Browse source 
* Granting `kibana_system` reserved role access to "all" privileges to `.adhoc.alerts*` and `.internal.adhoc.alerts*` indices

* Update docs/changelog/127321.yaml

* [CI] Auto commit changes from spotless

* Replace `"all"` with the specific privileges for the `kibana_system` role

* Fix tests

* Fix CI

* Updated privileges

* Updated privileges

Add `"maintenance"` to allow `refresh=true` option on bulk API call.

* Remove redundant code

---------

Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
This commit is contained in:
Ievgen Sorokopud 2025-06-03 15:37:52 +02:00 committed by GitHub
parent 38fb46d366
commit 550cddf5ee
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 60 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
docs/changelog/127321.yaml Normal file
View file

@ -0,0 +1,6 @@
pr: 127321
summary: Granting `kibana_system` reserved role access to "all" privileges to `.adhoc.alerts*`
and `.internal.adhoc.alerts*` indices
area: Authorization
type: enhancement
issues: []

17
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
View file

@ -265,6 +265,23 @@ class KibanaOwnedReservedRoleDescriptors {
RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTS_INDEX_ALIAS).privileges("all").build(), RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTS_INDEX_ALIAS).privileges("all").build(),
// "Alerts as data" public index alias used in Security Solution // "Alerts as data" public index alias used in Security Solution
// Kibana system user uses them to read / write alerts. // Kibana system user uses them to read / write alerts.
RoleDescriptor.IndicesPrivileges.builder()
.indices(ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX, ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS)
.privileges(
"create_index",
"read",
"write",
"view_index_metadata",
"maintenance",
RolloverAction.NAME,
TransportIndicesAliasesAction.NAME,
TransportPutMappingAction.TYPE.name(),
TransportAutoPutMappingAction.TYPE.name(),
TransportUpdateSettingsAction.TYPE.name()
)
.build(),
// "Alerts as data" public index alias used in Security Solution
// Kibana system user uses them to read / write alerts.
RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS).privileges("all").build(), RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS).privileges("all").build(),
// "Alerts as data" internal backing indices used in Security Solution // "Alerts as data" internal backing indices used in Security Solution
// Kibana system user creates these indices; reads / writes to them via the // Kibana system user creates these indices; reads / writes to them via the

14
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View file

@ -59,6 +59,10 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
public static final String PREVIEW_ALERTS_BACKING_INDEX = ".internal.preview.alerts*"; public static final String PREVIEW_ALERTS_BACKING_INDEX = ".internal.preview.alerts*";
public static final String PREVIEW_ALERTS_BACKING_INDEX_REINDEXED = ".reindexed-v8-internal.preview.alerts*"; public static final String PREVIEW_ALERTS_BACKING_INDEX_REINDEXED = ".reindexed-v8-internal.preview.alerts*";
/** "Attack Discovery" ad-hoc alerts index */
public static final String ADHOC_ALERTS_INDEX_ALIAS = ".adhoc.alerts*";
public static final String ADHOC_ALERTS_BACKING_INDEX = ".internal.adhoc.alerts*";
/** "Security Solutions" only lists index for value lists for detections */ /** "Security Solutions" only lists index for value lists for detections */
public static final String LISTS_INDEX = ".lists-*"; public static final String LISTS_INDEX = ".lists-*";
public static final String LISTS_INDEX_REINDEXED_V8 = ".reindexed-v8-lists-*"; public static final String LISTS_INDEX_REINDEXED_V8 = ".reindexed-v8-lists-*";
@ -782,7 +786,11 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
.build(), .build(),
// Alerts-as-data // Alerts-as-data
RoleDescriptor.IndicesPrivileges.builder() RoleDescriptor.IndicesPrivileges.builder()
.indices(ReservedRolesStore.ALERTS_INDEX_ALIAS, ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS) .indices(
ReservedRolesStore.ALERTS_INDEX_ALIAS,
ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS,
ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS
)
.privileges("read", "view_index_metadata") .privileges("read", "view_index_metadata")
.build(), .build(),
// Universal Profiling // Universal Profiling
@ -846,7 +854,9 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
ReservedRolesStore.ALERTS_INDEX_ALIAS, ReservedRolesStore.ALERTS_INDEX_ALIAS,
ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX, ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX,
ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_REINDEXED, ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_REINDEXED,
ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS,
ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX,
ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS
) )
.privileges("read", "view_index_metadata", "write", "maintenance") .privileges("read", "view_index_metadata", "write", "maintenance")
.build(), .build(),

25
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View file

@ -624,6 +624,31 @@ public class ReservedRolesStoreTests extends ESTestCase {
".slo-observability." + randomAlphaOfLength(randomIntBetween(0, 13)) ".slo-observability." + randomAlphaOfLength(randomIntBetween(0, 13))
).forEach(index -> assertAllIndicesAccessAllowed(kibanaRole, index)); ).forEach(index -> assertAllIndicesAccessAllowed(kibanaRole, index));
Arrays.asList(
ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13))
).forEach(index -> {
final IndexAbstraction indexAbstraction = mockIndexAbstraction(index);
assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportCreateIndexAction.TYPE.name()).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportIndicesAliasesAction.NAME).test(indexAbstraction), is(true));
assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportPutMappingAction.TYPE.name()).test(indexAbstraction), is(true));
assertThat(
kibanaRole.indices().allowedIndicesMatcher(TransportAutoPutMappingAction.TYPE.name()).test(indexAbstraction),
is(true)
);
assertThat(
kibanaRole.indices().allowedIndicesMatcher(TransportUpdateSettingsAction.TYPE.name()).test(indexAbstraction),
is(true)
);
// Check view_index_metadata privilege
assertViewIndexMetadata(kibanaRole, index);
// Check read, write and maintenance privileges
assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(kibanaRole, index + randomIntBetween(0, 5));
});
// read-only index access, including cross cluster // read-only index access, including cross cluster
Arrays.asList(".monitoring-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((index) -> { Arrays.asList(".monitoring-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((index) -> {
logger.info("index name [{}]", index); logger.info("index name [{}]", index);