This commit does the following:
* Add a new monitor_stats privilege
* Ensure that monitor_stats can be set in the remote_cluster privileges
* Give's Kibana the ability to remotely call monitor_stats via RCS 2.0
Since this is the first case where there is more than 1 remote_cluster privilege,
the following framework concern has been added:
* Ensure that when sending to elder RCS 2.0 clusters that we don't send the new privilege
previous only supported all or nothing remote_cluster blocks
* Ensure that we when sending API key role descriptors that contains remote_cluster,
we don't send the new privileges for RCS 1.0/2.0 if it not new enough
* Fix and extend the BWC tests for RCS 1.0 and RCS 2.0
Documentation for the remote_cluster in the role was added
in #111682 and #108840, but a few places were missed.
This commit fill the gaps in the documentation.
* Add connector permissions to fleet server service account
* [Security] Add permissions to manage connectors for fleet-server service account
* Fix tests
* Fix tests
* Fix typ again (tm)
* switch to connector/* vs manage_connectors
@jakelandis pointed out that we don't need connector secrets, which is the only difference between these too. We don't have a pretty name for the narrower permissions, but we don't need one here.
Co-authored-by: Artem Shelkovnikov <lavatroublebubble@gmail.com>
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Sean Story <sean.j.story@gmail.com>
Co-authored-by: Artem Shelkovnikov <lavatroublebubble@gmail.com>
In this PR we remove unused code including relating to the global data retention with APIs implementation:
- The transport action for updating, deleting and retrieving the global retention.
- The `DataStreamGlobalRetention` from the cluster state (this should be bwc safe because we never exposed the APIs to add a data stream lifecycle to the cluster state).
- Make unused privileges monitor and managing global retention a noop.
- Remove cluster state update tasks.
The kept `DataStreamGlobalRetentionResolver` considering it could hold and provide the global retention from the settings when we implement it. We just renamed it to DataStreamGlobalRetentionProvider for now to better match what it does.
The factory retention settings should still work after this change.
* Create manage_seaech_connector privilege
* `manage_search_connector` -> `manage_connector` and exclude connector secrets patterns from this privilege
* Add `monitor_connector` privilege
* Update Kibana system privilege to monitor_connector for telemetry
* Rename privilege to 'manage_connector_state'
Since privilege names are often namespaced and used with globs, we want to ensure that if there's a future privilege like `manage_connector_secrets`, that it is not implicitly included in this new privileg's <name>*. By extending the privilege name to include "_state", we better namespace this distinct from any "_secrets" namespace.
* Revert "Rename privilege to 'manage_connector_state'"
This reverts commit 70b89eee76.
After further discussion with the security team, this name change is not needed after all
since the secret management privileges aren't currently prefixed with "manage_"
---------
Co-authored-by: Sean Story <sean.j.story@gmail.com>
Docs tweak with a typo fix and a clarification on how the two available
settings interact (essentially
https://github.com/elastic/elasticsearch/issues/27871). I'm also open to
including this info in the more generic settings API but feels like a
simple enough callout to add to the security API.
This is a refactoring of the internal logic that's used to translate
query-level into index-level field names for query APIs for
security entities (i.e. users, API Keys, and soon, roles).
The objective here is to have and reuse a single class to handle
all the translations for different security query APIs.
This commit introduces the documentation for remote_clusters which is used to help
express the monitor_enrich privilege needed to use the ENRICH keyword across clusters
when using the API key based CCS security model.
This commit also adds "remote_clusters" to the built in privs API to for easier consumption
in Kibana.
This commit adds documentation for the DLS/FLS restriction for RCS 2.0 API keys
where both access and replication are defined and access has DSL/FLS.
This commit also fixes a few misleading variable names.
related: #108600
* Remove `es-test-dir` book-scoped variable
* Remove `plugins-examples-dir` book-scoped variable
* Remove `:dependencies-dir:` and `:xes-repo-dir:` book-scoped variables
- In `index.asciidoc`, two variables (`:dependencies-dir:` and `:xes-repo-dir:`) were removed.
- In `sql/index.asciidoc`, the `:sql-tests:` path was updated to fuller path
- In `esql/index.asciidoc`, the `:esql-tests:` path was updated idem
* Replace `es-repo-dir` with `es-ref-dir`
* Move `:include-xpack: true` to few files that use it, remove from index.asciidoc
The Query API Key Information endpoint supports aggs since #104895.
But some lang clients actually use the `aggregations` keyword in requests,
as the preferred synonym to `aggs`.
This PR adds support for the `aggregations` request keyword as a synonym
for the existing `aggs` term.
Closes#106839
The typed_keys request parameter is the canonical parameter,
that's also used in the regular index _search enpoint, in order to
return the types of aggregations in the response.
This is required by typed language clients of the _security/_query/api_key
endpoint that are using aggregations.
Closes#106817
In this PR we introduce the API that will expose the global retention configuration and will allow users to take advantage of it.
These APIs are protected by the dedicated introduced privileges:
`manage_data_stream_global_retention` or higher, which allows all operations on the global retention configuration
`monitor_data_stream_retention` or higher, which allows the retrieval of the global retention configuration.
This PR is the final PR that makes the global retention available for our users.
Add new optional request option, `with_profile_uid`,
to the Get and Query API Key Information endpoints,
to return the API keys owner users' profile uid.
Closes#98939
Defines new inference_user and inference_admin roles with the
related cluster privileges manage_inference and monitor_inference.
inference_user can list the models and preform inference,
inference_admin can do the same plus create and delete models
When querying or getting API key information, ES returns the key owner's
username and realm (i.e. the realm name that authenticated the username
that last updated the API key).
This PR adds the realm_type to the information on the key's owner.
Adds support for the aggs request body parameter to the Query API Key Information API.
This parameter works identically to the well known eponymous parameter of the _search endpoint,
but the set of allowed aggregation types as well as the field names allowed is restricted.
This adds support for the `match` query type to the Query API key Information API.
Note that since string values associated to API Keys are mapped as `keywords`,
a `match` query with no analyzer parameter is effectively equivalent to a `term` query
for such fields (e.g. `name`, `username`, `realm_name`).
Relates: #101691
- Introduce new internal system index called .connector-secrets
- Add GET and POST requests for connector secrets
- Add permission sets for read and write connector secrets
- Introduce new internal system index called .connector-secrets
- Add GET and POST requests for connector secrets
- Create read_connector_secrets and write_connector_secrets role permissions
This adds support for the simple_query_string query type to the Query API key Information API.
In addition, this also adds support for querying all the API Key metadata fields simultaneously,
rather than requiring each to be specified, such as metadata.x, metadata.y, etc.
Relates: #101691
This adds support for the type parameter to the Query API key API.
The type for an API Key can currently be either rest or cross_cluster.
Relates: #101691
Introduces support for JWTs to the grant API Key API.
Callers can now pass-in a JWT in the request, like:
POST /_security/api_key/grant
{
"grant_type": "access_token",
"access_token" : "some.signed.JWT",
"client_authentication": { // optional
"scheme": "SharedSecret",
"value": "ES-Client-Authentication header value after scheme"
}
}
The JWT will be authenticated by a backing JWT realm and
a new API Key will be returned for the authenticated user.
With this commit we remove the `auto_configure` privilege for the Fleet
service account that targets profiling-related indices. This privilege
was needed to automatically create indices and data streams in the past
but as this managed by the Elasticsearch plugin, there is no need to
grant this privilege to Fleet-managed components.
This change introduces a new privilege monitor_enrich. Users are
required to have this privilege in order to use the enrich functionality
in ESQL. Additionally, it eliminates the need to use the enrich_origin
when executing enrich lookups. The enrich_origin will only be used when
resolving enrich policies to prevent warnings when accessing system
indices directly.
Closes#98482
**Problem:**
For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`.
**Solution:**
- Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory
- Update doc snippet tests to use security
Rel: https://github.com/elastic/platform-docs-team/issues/208
