Skip to content

Commit

Permalink
Granting kibana_system reserved role access to all privileges to .int…
Browse files Browse the repository at this point in the history
…ernal.alerts* (#76624) (#76635)

**Parent ticket:** elastic/kibana#101016
**Related to:** #72181

## Summary

Similar to the previous PR (#72181), we'd like to add privileges to a new set of indices to the `kibana_system` role.

The reason for that is we need to have different naming schemes for alerts-as-data index aliases and backing indices pointing to these aliases, which in turn is needed to support backwards compatibility, migrations and reindexing in the future.

We didn't want to prefix the backing indices with `.kibana-`, so we're adding a new `.internal.alerts` prefix. Prefixing with `.kibana-` would make them system indices, which means they would not be supposed to be read by end users, which is not what we want.

`.internal` could become a universal prefix for hidden Kibana indices, but at this point I don't feel confident enough to generalise prematurely.

Co-authored-by: Georgii Gorbachev <banderror@gmail.com>
  • Loading branch information
spong and banderror authored Aug 18, 2021
1 parent 608aced commit 46529f0
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 10 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,9 @@
import java.util.stream.Collectors;

public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>> {
public static final String LEGACY_ALERTS_INDEX = ".siem-signals*";
public static final String ALERTS_INDEX = ".alerts*";
public static final String ALERTS_LEGACY_INDEX = ".siem-signals*";
public static final String ALERTS_BACKING_INDEX = ".internal.alerts*";
public static final String ALERTS_INDEX_ALIAS = ".alerts*";

public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor("superuser",
new String[] { "all" },
Expand Down Expand Up @@ -422,15 +423,20 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) {
RoleDescriptor.IndicesPrivileges.builder()
.indices(".fleet*")
.privileges("all").build(),
// Legacy "Alerts as data" index. Kibana user will create this index.
// Kibana user will read / write to these indices
// Legacy "Alerts as data" used in Security Solution.
// Kibana user creates these indices; reads / writes to them.
RoleDescriptor.IndicesPrivileges.builder()
.indices(ReservedRolesStore.LEGACY_ALERTS_INDEX)
.indices(ReservedRolesStore.ALERTS_LEGACY_INDEX)
.privileges("all").build(),
// "Alerts as data" index. Kibana user will create this index.
// Kibana user will read / write to these indices
// "Alerts as data" internal backing indices used in Security Solution, Observability, etc.
// Kibana system user creates these indices; reads / writes to them via the aliases (see below).
RoleDescriptor.IndicesPrivileges.builder()
.indices(ReservedRolesStore.ALERTS_INDEX)
.indices(ReservedRolesStore.ALERTS_BACKING_INDEX)
.privileges("all").build(),
// "Alerts as data" public index aliases used in Security Solution, Observability, etc.
// Kibana system user uses them to read / write alerts.
RoleDescriptor.IndicesPrivileges.builder()
.indices(ReservedRolesStore.ALERTS_INDEX_ALIAS)
.privileges("all").build(),
// Endpoint / Fleet policy responses. Kibana requires read access to send telemetry
RoleDescriptor.IndicesPrivileges.builder()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -404,8 +404,9 @@ public void testKibanaSystemRole() {
".reporting-" + randomAlphaOfLength(randomIntBetween(0, 13)),
".apm-agent-configuration",
".apm-custom-link",
ReservedRolesStore.LEGACY_ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13))
ReservedRolesStore.ALERTS_LEGACY_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13))
).forEach((index) -> {
logger.info("index name [{}]", index);
assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(true));
Expand Down

0 comments on commit 46529f0

Please sign in to comment.