Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add read privileges for observability-annotations for apm_user #58530

Merged
merged 2 commits into from
Jun 30, 2020
Merged

Add read privileges for observability-annotations for apm_user #58530

merged 2 commits into from
Jun 30, 2020

Conversation

dgieselaar
Copy link
Member

Closes elastic/kibana#69642. See also elastic/kibana#69881.

In elastic/kibana#64796, we added support for annotations (and a public API to create them) in the APM UI. Annotations are stored (by default, but configurable) in observability-annotations. We've documented that users need access to the observability-annotations index to create annotations via the API, but neglected to do so for using the UI.

To ensure a great out-of-the-box experience we'd like to add read privileges for this index by default.

@dgieselaar dgieselaar mentioned this pull request Jun 25, 2020
Closed
@sorenlouv
Copy link
Member

Lgtm but you'll need someone from the ES side to 👍 this too.

@dgieselaar dgieselaar requested a review from a team June 26, 2020 08:48
tvernum
tvernum reviewed Jun 29, 2020
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy with with the intent of the change, but we need to also update ReservedRolesStoreTests.testAPMUserRole to reflect the change.

@dgieselaar
Copy link
Member Author

@tvernum I've added a test - LMK if that's good enough.

@bmorelli25 bmorelli25 mentioned this pull request Jun 29, 2020
Merged
tvernum
tvernum approved these changes Jun 30, 2020
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tvernum tvernum added :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) >enhancement v7.9.0 v8.0.0 labels Jun 30, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authentication)

@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jun 30, 2020
@tvernum
Copy link
Contributor

tvernum commented Jun 30, 2020

@dgieselaar I added labels, including version labels. Can you confirm that they reflect the releases you intend to target?

@tvernum tvernum added :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC and removed :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Jun 30, 2020
@dgieselaar
Copy link
Member Author

@tvernum we'd also like to get this in for 7.8.1, is that possible?

@tvernum tvernum added the v7.8.1 label Jun 30, 2020
@tvernum
Copy link
Contributor

tvernum commented Jun 30, 2020
edited
Loading

That's fine. I've updated the labels.

@dgieselaar
Copy link
Member Author

thanks @tvernum! Ok for me to merge & backport?

@tvernum
Copy link
Contributor

tvernum commented Jun 30, 2020

Yes, go ahead.

@dgieselaar dgieselaar changed the title Add read privileges for observability-annotations index for apm_user role Add read privileges for observability-annotations for apm_user Jun 30, 2020
@dgieselaar dgieselaar merged commit ea39a47 into elastic:master Jun 30, 2020
@dgieselaar dgieselaar deleted the add-annotation-index-privileges branch June 30, 2020 20:46
This was referenced Jun 30, 2020
Merged
Merged
dgieselaar added a commit to dgieselaar/elasticsearch that referenced this pull request Jun 30, 2020
@dgieselaar
Add read privileges for observability-annotations for apm_user (elast…
2c65fd3 
…ic#58530)
dgieselaar added a commit that referenced this pull request Jul 1, 2020
@dgieselaar
[7.8] Add read privileges for annotations for apm_user (#58530) (#58782)
4e297ae
dgieselaar added a commit that referenced this pull request Jul 1, 2020
@dgieselaar @elasticmachine
[7.x] Add read privileges for annotations for apm_user (#58530) (#58781)
417f706 
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sorenlouv sorenlouv sorenlouv approved these changes

@tvernum tvernum tvernum approved these changes

Assignees
No one assigned
Labels
>enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v7.8.1 v7.9.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

apm_user role has no access to observability-annotations index
5 participants
@dgieselaar @sorenlouv @elasticmachine @tvernum @jakelandis