[Fleet] Too many privileges for Elastic Agent data streams #104622
Comments
ruflin
added
bug
|
Pinging @elastic/fleet (Team:Fleet) |
|
@michalpristas @afgomez You might be able to share more details on the above. What are the exact permissions needed for monitoring? |
|
@ruflin my understanding is that we eventually want to get these permissions from the Would it make sense to hold on to any changes to this code path until the package exposes the information we need, and then we are done with it? Aside from this, what would be the downside of leaving the permission block with the wildcard? I understand that we don't want API keys with wildcards, but realistically how big is the problem? If a random person somehow gets the API key and starts to create indices that match the |
|
i'm also for enabling whatever package definition says so as alejandro described above also bear in mind that with new change enabling us to specify namespace used in agent |
|
The initial discussion on why we need this feature with more details around it can be found here: elastic/fleet-server#101 The part that must be understood is that Elastic Agent can run on untrusted machines, for example your laptop. We already give API keys away and these should have as little permissions as possible as otherwise anyone could in theory overload the cluster as one of the examples. APM is a different scenario. It is not enabled by default like the elastic_agent integration and in general I expect apm to be run in trusted environments. @michalpristas I don't follow your example around namespace. I assume the namespace is also set in Fleet for the Elastic Agent so Fleet can updated the permissions? |
|
Re: namespace - Fleet already uses the namespace the user defines (not always @michalpristas Is there a concrete list of all possible If we don't go down the route of hardcoding it, we will have to fix elastic/integrations#953 and also adjust Fleet to read from the package. I'm not sure how feasible that is right now, capacity wise. |
|
++ on fixing the package. I'll try to take a stab at it. |
|
@jen-huang we dont have a list but assuming we have a static set of programs/processes we are able to run, I could compile one if it's needed |
|
I started elastic/integrations#1298 as a draft. @michalpristas could you share the list or check my PR to see if I miss something? I assume we need logs and metrics for each process? |
|
@ruflin that's correct |
|
@afgomez Can you start some work on the Fleet side with the assumption that the |
|
For 7.15, we should definitively rely on the package. For 7.14 I'm thinking we should hard code it. The reason for this is that my assumption is the This does not mean, we should still update the package for 7.14 too but I do not expect this to have any effect on the permissions but on the data stream list with the Elastic Agent icon. |
@michalpristas Could you collect that list for me? :) |
|
@michalpristas I took a list from @ruflin's work in elastic/integrations#1298. I applied the changes in #105419 Can you confirm if the values are correct? |
|
will take a look |
Looking at the default policy in 7.14 it contains the following permissions:
To not allow an API key to ingest data in any indices random data streams, no
*should exists in the permissions block. But forlogs-elastic_agent.*-defaultand metrics this is the case. Instead the specific sub processes should be listed here. It might be tricky to construct these out of the integrations used and likely even undesired, instead I think we should hardcode the current supported subprocess names and add these to the policy.The text was updated successfully, but these errors were encountered: