[Fleet] Custom permissions for connector package #192081
Conversation
x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts
Outdated
Show resolved
Hide resolved
|
@elasticmachine merge upstream |
….com:jedrazb/kibana into support-elastic-connectors-agent-permissions
jedrazb
changed the title
jedrazb
added
release_note:skip
|
Pinging @elastic/fleet (Team:Fleet) |
| cluster: ['manage_connector'], | ||
| indices: [ | ||
| { | ||
| names: ['traces-*', 'logs-*', 'metrics-*'], |
There was a problem hiding this comment.
Not familiar with the connector but does it need to write to all of those logs, metrics, traces datastreams?
There was a problem hiding this comment.
The connector component doesn't need to write to those indices.
IIRC when I was testing locally, I think that I could only access the connector component logs in Fleet UI after adding this to permissions. So, I think it does need to write to logs-* at least (could I be wrong here?). I'm not sure about traces-* and metrics-* honestly.
There was a problem hiding this comment.
I think logs will be send by elastic-agent if monitoring is enabled for the agent policy, this how it works for other components, so unless there is a specific need I think we probably not need those permissions
There was a problem hiding this comment.
@nchaulet Actually after removing this bit we are no longer able to receive component-level logs, even with system logs + metrics collection enabled, I'm leaning towards adding:
{
names: ['logs-elastic_agent*'],
privileges: ['auto_configure', 'create_doc']
}
|
cc @seanstory |
x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts
Outdated
Show resolved
Hide resolved
Co-authored-by: Artem Shelkovnikov <lavatroublebubble@gmail.com>
...k/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.test.ts
Outdated
Show resolved
Hide resolved
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
History
To update your PR or re-run it, just comment with: |
## Summary Defines custom permissions for connector package. Note: Wait with merging until elastic/elasticsearch#112556 is merged ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios + tested e2e with local ES, fleet server and connectors package --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Sean Story <sean.j.story@gmail.com> Co-authored-by: Artem Shelkovnikov <lavatroublebubble@gmail.com> Co-authored-by: Artem Shelkovnikov <artem.shelkovnikov@elastic.co>
|
@seanstory can you check if this needs to be backported to 8.x? |
|
It does not |
## Summary Defines custom permissions for connector package. - adds `view_index_metadata` permission - adds permission to `logs-elastic_agent*` index in order to allow to collect component logs - see #192081 (comment) ### Checklist [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios tested e2e with local ES, fleet server and connectors package --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Summary
Defines custom permissions for connector package.
Note: Wait with merging until elastic/elasticsearch#112556 is merged
Checklist
Delete any items that are not applicable to this PR.