Add apm_user reserved role #38206
Add apm_user reserved role #38206
Conversation
|
@bmorelli25 This change will create a dedicated APM role in 7.0. This means that we'll need to update our docs to instruct people to use this role, as opposed to creating their own. Can you update the docs accordingly? @kobelb has offered to walk you through the changes if needed |
|
Can the apm user also have read access to |
It definitely can be changed to do so, which version are you hoping to begin taking advantage of this? |
|
Will do Rasmus! @kobelb - a quick walkthrough would definitely be appreciated. Can you throw something on my calendar for anytime this week (preferably not today)? |
| @@ -132,6 +132,10 @@ | |||
| new String[] { "monitor", MonitoringBulkAction.NAME}, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) | |||
| .put(UsernamesField.APM_ROLE, new RoleDescriptor(UsernamesField.APM_ROLE, | |||
| new String[] { "monitor", MonitoringBulkAction.NAME}, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) | |||
| .put("apm_user", new RoleDescriptor("apm_user", | |||
| null, new RoleDescriptor.IndicesPrivileges[] { | |||
| RoleDescriptor.IndicesPrivileges.builder().indices("apm-*").privileges("read", "view_index_metadata").build() | |||
There was a problem hiding this comment.
Users with Platinum also need access to ML anomaly indicies .ml-anomalies*
There was a problem hiding this comment.
(I see now that @graphaelli already pointed this out)
Yes, that's the only index we query outside of
asap :) We've been reading from |
| RoleDescriptor.IndicesPrivileges.builder().indices("apm-*") | ||
| .privileges("read", "view_index_metadata").build(), | ||
| RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*") | ||
| .privileges("view_index_metadata", "read").build(), |
* master: Mute failing API key integration test (elastic#38409) Change the milliseconds precision to 3 digits for intervals. (elastic#38297) SecuritySettingsSource license.self_generated: trial (elastic#38233) Rename no-master-block setting (elastic#38350) Rename static Zen1 settings (elastic#38333) Migration doc for audit json log file (elastic#38165) Add apm_user reserved role (elastic#38206)
|
Please remember to add all relevant labels (area label, version label(s) and change type label) on all PRs and please look for this as part of reviews. The release note generation process is made much harder when PRs are not labelled correctly. |
colings86
added
>enhancement
v7.0.0
:Security/Authorization
|
Pinging @elastic/es-security |
|
Sorry about that @colings86 |
This adds a reserved role for APM to use to grant access to APM, as opposed to requiring users to create custom roles. This will allow us the flexibility to assign Kibana privileges to the reserved role as part of the Kibana Feature Controls.