Use kibana_system user for writing to Fleet system indices in Endpoint isolation (#120597) (#120794)

Co-authored-by: Josh Dover <1813008+joshdover@users.noreply.github.com>
2025-04-24 01:38:56 -04:00 · 2021-12-08 13:49:34 -05:00 · 2021-12-08 13:49:34 -05:00 · 24b86085f8
commit 24b86085f8
parent b200f7865a
2 changed files with 13 additions and 17 deletions
--- a/x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.test.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.test.ts
@ -224,10 +224,10 @@ describe('Host Isolation', () => {
          );

        if (indexExists) {
-          ctx.core.elasticsearch.client.asInternalUser.index = mockIndexResponse;
+          ctx.core.elasticsearch.client.asCurrentUser.index = mockIndexResponse;
        }

-        ctx.core.elasticsearch.client.asCurrentUser.index = mockIndexResponse;
+        ctx.core.elasticsearch.client.asInternalUser.index = mockIndexResponse;
        ctx.core.elasticsearch.client.asCurrentUser.search = mockSearchResponse;

        const withLicense = license ? license : Platinum;
@ -283,7 +283,7 @@ describe('Host Isolation', () => {
        searchResponse: metadataResponse,
      });
      const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
      ).mock.calls[0][0].body;
      expect(actionDoc.agents).toContain(AgentID);
    });
@ -294,7 +294,7 @@ describe('Host Isolation', () => {
        mockUser: testU,
      });
      const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
      ).mock.calls[0][0].body;
      expect(actionDoc.user_id).toEqual(testU.username);
    });
@ -304,7 +304,7 @@ describe('Host Isolation', () => {
        body: { endpoint_ids: ['XYZ'], comment: CommentText },
      });
      const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
      ).mock.calls[0][0].body;
      expect(actionDoc.data.comment).toEqual(CommentText);
    });
@ -313,7 +313,7 @@ describe('Host Isolation', () => {
        body: { endpoint_ids: ['XYZ'], comment: 'XYZ' },
      });
      const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
      ).mock.calls[0][0].body;
      const actionID = actionDoc.action_id;
      expect(mockResponse.ok).toBeCalled();
@ -326,7 +326,7 @@ describe('Host Isolation', () => {
        body: { endpoint_ids: ['XYZ'] },
      });
      const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
      ).mock.calls[0][0].body;
      expect(actionDoc.timeout).toEqual(300);
    });
@ -339,7 +339,7 @@ describe('Host Isolation', () => {
        searchResponse: doc,
      });
      const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
      ).mock.calls[0][0].body;
      expect(actionDoc.agents).toContain(AgentID);
    });
@ -349,7 +349,7 @@ describe('Host Isolation', () => {
        body: { endpoint_ids: ['XYZ'] },
      });
      const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
      ).mock.calls[0][0].body;
      expect(actionDoc.data.command).toEqual('isolate');
    });
@ -358,7 +358,7 @@ describe('Host Isolation', () => {
        body: { endpoint_ids: ['XYZ'] },
      });
      const actionDoc: EndpointAction = (
-        ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock
+        ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock
      ).mock.calls[0][0].body;
      expect(actionDoc.data.command).toEqual('unisolate');
    });
--- a/x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts
@ -203,13 +203,9 @@ export const isolationRequestHandler = function (
    }

    try {
-      let esClient = context.core.elasticsearch.client.asCurrentUser;
-      if (doesLogsEndpointActionsDsExist) {
-        // create action request record as system user with user in .fleet-actions
-        esClient = context.core.elasticsearch.client.asInternalUser;
-      }
-      // write as the current user if the new indices do not exist
-      // <v7.16 requires the current user to be super user
+      const esClient = context.core.elasticsearch.client.asInternalUser;
+      // write as the internal user if the new indices do not exist
+      // 8.0+ requires internal user to write to system indices
      fleetActionIndexResult = await esClient.index<EndpointAction>({
        index: AGENT_ACTIONS_INDEX,
        body: {