github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-25 07:37:19 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Fleet] Add read privileges to profiling-* for symbolization support (#95596)

Browse source
This commit is contained in:
Victor Michel 2023-04-27 07:18:54 -07:00 committed by GitHub
parent 626db84fac
commit e752135f44
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 46 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

5
docs/changelog/95596.yaml Normal file
View file

@ -0,0 +1,5 @@
pr: 95596
summary: "[Fleet] Add read privileges to profiling-* for symbolization support"
area: Authorization
type: bug
issues: []

14
x-pack/docs/en/rest-api/security/get-service-accounts.asciidoc
View file

@ -74,8 +74,7 @@ GET /_security/service/elastic/fleet-server
"metrics-*",
"traces-*",
".logs-endpoint.diagnostic.collection-*",
".logs-endpoint.action.responses-*",
"profiling-*"
".logs-endpoint.action.responses-*"
],
"privileges": [
"write",
@ -84,6 +83,17 @@ GET /_security/service/elastic/fleet-server
],
"allow_restricted_indices": false
},
{
"names": [
"profiling-*"
],
"privileges": [
"read",
"write",
"auto_configure"
],
"allow_restricted_indices": false
},
{
"names" : [
"traces-apm.sampled-*"

14
x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java
View file

@ -93,8 +93,7 @@ public class ServiceAccountIT extends ESRestTestCase {
"metrics-*",
"traces-*",
".logs-endpoint.diagnostic.collection-*",
".logs-endpoint.action.responses-*",
"profiling-*"
".logs-endpoint.action.responses-*"
],
"privileges": [
"write",
@ -103,6 +102,17 @@ public class ServiceAccountIT extends ESRestTestCase {
],
"allow_restricted_indices": false
},
{
"names": [
"profiling-*"
],
"privileges": [
"read",
"write",
"auto_configure"
],
"allow_restricted_indices": false
},
{
"names": [
"traces-apm.sampled-*"

4
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java
View file

@ -69,11 +69,11 @@ final class ElasticServiceAccounts {
"metrics-*",
"traces-*",
".logs-endpoint.diagnostic.collection-*",
".logs-endpoint.action.responses-*",
"profiling-*"
".logs-endpoint.action.responses-*"
)
.privileges("write", "create_index", "auto_configure")
.build(),
RoleDescriptor.IndicesPrivileges.builder().indices("profiling-*").privileges("read", "write", "auto_configure").build(),
RoleDescriptor.IndicesPrivileges.builder()
// APM Server (and hence Fleet Server, which issues its API Keys) needs additional privileges
// for the non-sensitive "sampled traces" data stream:

17
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java
View file

@ -192,8 +192,7 @@ public class ElasticServiceAccountsTests extends ESTestCase {
"metrics-" + randomAlphaOfLengthBetween(1, 20),
"traces-" + randomAlphaOfLengthBetween(1, 20),
".logs-endpoint.diagnostic.collection-" + randomAlphaOfLengthBetween(1, 20),
".logs-endpoint.action.responses-" + randomAlphaOfLengthBetween(1, 20),
"profiling-" + randomAlphaOfLengthBetween(1, 20)
".logs-endpoint.action.responses-" + randomAlphaOfLengthBetween(1, 20)
).stream().map(this::mockIndexAbstraction).forEach(index -> {
assertThat(role.indices().allowedIndicesMatcher(AutoPutMappingAction.NAME).test(index), is(true));
assertThat(role.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(index), is(true));
@ -209,6 +208,20 @@ public class ElasticServiceAccountsTests extends ESTestCase {
assertThat(role.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(false));
});
final IndexAbstraction profilingIndex = mockIndexAbstraction("profiling-" + randomAlphaOfLengthBetween(1, 20));
assertThat(role.indices().allowedIndicesMatcher(AutoPutMappingAction.NAME).test(profilingIndex), is(true));
assertThat(role.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(profilingIndex), is(true));
assertThat(role.indices().allowedIndicesMatcher(DeleteAction.NAME).test(profilingIndex), is(true));
assertThat(role.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(profilingIndex), is(false));
assertThat(role.indices().allowedIndicesMatcher(IndexAction.NAME).test(profilingIndex), is(true));
assertThat(role.indices().allowedIndicesMatcher(BulkAction.NAME).test(profilingIndex), is(true));
assertThat(role.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(profilingIndex), is(false));
assertThat(role.indices().allowedIndicesMatcher(GetAction.NAME).test(profilingIndex), is(true));
assertThat(role.indices().allowedIndicesMatcher(MultiGetAction.NAME).test(profilingIndex), is(true));
assertThat(role.indices().allowedIndicesMatcher(SearchAction.NAME).test(profilingIndex), is(true));
assertThat(role.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(profilingIndex), is(true));
assertThat(role.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(profilingIndex), is(false));
List.of("synthetics-" + randomAlphaOfLengthBetween(1, 20)).stream().map(this::mockIndexAbstraction).forEach(index -> {
assertThat(role.indices().allowedIndicesMatcher(AutoPutMappingAction.NAME).test(index), is(true));
assertThat(role.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(index), is(true));