From 4ed397b53de7b95c8a398a71d8713c762b32ea19 Mon Sep 17 00:00:00 2001 From: Sonja Krause-Harder Date: Thu, 4 Feb 2021 17:54:14 +0100 Subject: [PATCH 1/4] Reduce permissions. --- .../fleet/server/services/api_keys/index.ts | 13 ++-------- x-pack/plugins/fleet/server/services/setup.ts | 13 ++-------- .../apis/agents_setup.ts | 13 ++-------- .../fleet_api_integration/apis/fleet_setup.ts | 24 ++++--------------- 4 files changed, 10 insertions(+), 53 deletions(-) diff --git a/x-pack/plugins/fleet/server/services/api_keys/index.ts b/x-pack/plugins/fleet/server/services/api_keys/index.ts index 65051163c78c3..886361f5177a4 100644 --- a/x-pack/plugins/fleet/server/services/api_keys/index.ts +++ b/x-pack/plugins/fleet/server/services/api_keys/index.ts @@ -22,17 +22,8 @@ export async function generateOutputApiKey( cluster: ['monitor'], index: [ { - names: [ - 'logs-*', - 'metrics-*', - 'traces-*', - '.ds-logs-*', - '.ds-metrics-*', - '.ds-traces-*', - '.logs-endpoint.diagnostic.collection-*', - '.ds-.logs-endpoint.diagnostic.collection-*', - ], - privileges: ['write', 'create_index', 'indices:admin/auto_create'], + names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], + privileges: ['create_doc', 'indices:admin/auto_create'], }, ], }, diff --git a/x-pack/plugins/fleet/server/services/setup.ts b/x-pack/plugins/fleet/server/services/setup.ts index f19ad4e7fe417..3ffec2523c103 100644 --- a/x-pack/plugins/fleet/server/services/setup.ts +++ b/x-pack/plugins/fleet/server/services/setup.ts @@ -192,17 +192,8 @@ async function putFleetRole(callCluster: CallESAsCurrentUser) { cluster: ['monitor', 'manage_api_key'], indices: [ { - names: [ - 'logs-*', - 'metrics-*', - 'traces-*', - '.ds-logs-*', - '.ds-metrics-*', - '.ds-traces-*', - '.logs-endpoint.diagnostic.collection-*', - '.ds-.logs-endpoint.diagnostic.collection-*', - ], - privileges: ['write', 'create_index', 'indices:admin/auto_create'], + names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], + privileges: ['create_doc', 'indices:admin/auto_create'], }, ], }, diff --git a/x-pack/test/fleet_api_integration/apis/agents_setup.ts b/x-pack/test/fleet_api_integration/apis/agents_setup.ts index c1abdfab566b9..65d851dca281c 100644 --- a/x-pack/test/fleet_api_integration/apis/agents_setup.ts +++ b/x-pack/test/fleet_api_integration/apis/agents_setup.ts @@ -60,17 +60,8 @@ export default function (providerContext: FtrProviderContext) { cluster: ['monitor', 'manage_api_key'], indices: [ { - names: [ - 'logs-*', - 'metrics-*', - 'traces-*', - '.ds-logs-*', - '.ds-metrics-*', - '.ds-traces-*', - '.logs-endpoint.diagnostic.collection-*', - '.ds-.logs-endpoint.diagnostic.collection-*', - ], - privileges: ['write', 'create_index', 'indices:admin/auto_create'], + names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], + privileges: ['create_doc', 'indices:admin/auto_create'], allow_restricted_indices: false, }, ], diff --git a/x-pack/test/fleet_api_integration/apis/fleet_setup.ts b/x-pack/test/fleet_api_integration/apis/fleet_setup.ts index 2c15cddc81ea1..e63a5ac7c32bc 100644 --- a/x-pack/test/fleet_api_integration/apis/fleet_setup.ts +++ b/x-pack/test/fleet_api_integration/apis/fleet_setup.ts @@ -62,15 +62,8 @@ export default function (providerContext: FtrProviderContext) { cluster: ['monitor', 'manage_api_key'], indices: [ { - names: [ - 'logs-*', - 'metrics-*', - 'traces-*', - '.ds-logs-*', - '.ds-metrics-*', - '.ds-traces-*', - ], - privileges: ['write', 'create_index', 'indices:admin/auto_create'], + names: ['logs-*', 'metrics-*', 'traces-*'], + privileges: ['create_doc', 'indices:admin/auto_create'], allow_restricted_indices: false, }, ], @@ -101,17 +94,8 @@ export default function (providerContext: FtrProviderContext) { cluster: ['monitor', 'manage_api_key'], indices: [ { - names: [ - 'logs-*', - 'metrics-*', - 'traces-*', - '.ds-logs-*', - '.ds-metrics-*', - '.ds-traces-*', - '.logs-endpoint.diagnostic.collection-*', - '.ds-.logs-endpoint.diagnostic.collection-*', - ], - privileges: ['write', 'create_index', 'indices:admin/auto_create'], + names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], + privileges: ['create_doc', 'indices:admin/auto_create'], allow_restricted_indices: false, }, ], From dc0c6fe09116e746a1eb28b9d5306ca3d55242f8 Mon Sep 17 00:00:00 2001 From: Sonja Krause-Harder Date: Tue, 9 Feb 2021 16:19:23 +0100 Subject: [PATCH 2/4] Change permissions back. --- x-pack/plugins/fleet/server/services/api_keys/index.ts | 2 +- x-pack/plugins/fleet/server/services/setup.ts | 2 +- x-pack/test/fleet_api_integration/apis/agents_setup.ts | 2 +- x-pack/test/fleet_api_integration/apis/fleet_setup.ts | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/fleet/server/services/api_keys/index.ts b/x-pack/plugins/fleet/server/services/api_keys/index.ts index 886361f5177a4..906bedb3f90c9 100644 --- a/x-pack/plugins/fleet/server/services/api_keys/index.ts +++ b/x-pack/plugins/fleet/server/services/api_keys/index.ts @@ -23,7 +23,7 @@ export async function generateOutputApiKey( index: [ { names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['create_doc', 'indices:admin/auto_create'], + privileges: ['write', 'create_index', 'indices:admin/auto_create'], }, ], }, diff --git a/x-pack/plugins/fleet/server/services/setup.ts b/x-pack/plugins/fleet/server/services/setup.ts index 3ffec2523c103..46daaad9e14b4 100644 --- a/x-pack/plugins/fleet/server/services/setup.ts +++ b/x-pack/plugins/fleet/server/services/setup.ts @@ -193,7 +193,7 @@ async function putFleetRole(callCluster: CallESAsCurrentUser) { indices: [ { names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['create_doc', 'indices:admin/auto_create'], + privileges: ['write', 'create_index', 'indices:admin/auto_create'], }, ], }, diff --git a/x-pack/test/fleet_api_integration/apis/agents_setup.ts b/x-pack/test/fleet_api_integration/apis/agents_setup.ts index 65d851dca281c..c4f115e4d0e01 100644 --- a/x-pack/test/fleet_api_integration/apis/agents_setup.ts +++ b/x-pack/test/fleet_api_integration/apis/agents_setup.ts @@ -61,7 +61,7 @@ export default function (providerContext: FtrProviderContext) { indices: [ { names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['create_doc', 'indices:admin/auto_create'], + privileges: ['write', 'create_index', 'indices:admin/auto_create'], allow_restricted_indices: false, }, ], diff --git a/x-pack/test/fleet_api_integration/apis/fleet_setup.ts b/x-pack/test/fleet_api_integration/apis/fleet_setup.ts index e63a5ac7c32bc..a5a4db491e0ae 100644 --- a/x-pack/test/fleet_api_integration/apis/fleet_setup.ts +++ b/x-pack/test/fleet_api_integration/apis/fleet_setup.ts @@ -95,7 +95,7 @@ export default function (providerContext: FtrProviderContext) { indices: [ { names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['create_doc', 'indices:admin/auto_create'], + privileges: ['write', 'create_index', 'indices:admin/auto_create'], allow_restricted_indices: false, }, ], From e4f5feb7d941714f19857f0a2d58f808ebb9bc51 Mon Sep 17 00:00:00 2001 From: Sonja Krause-Harder Date: Wed, 10 Feb 2021 15:27:15 +0100 Subject: [PATCH 3/4] Reducing permissions on fleet_enroll role - 'write', 'create_index' -> 'auto_configure', 'create_doc' --- x-pack/plugins/fleet/server/services/api_keys/index.ts | 2 +- x-pack/plugins/fleet/server/services/setup.ts | 2 +- x-pack/test/fleet_api_integration/apis/agents_setup.ts | 2 +- x-pack/test/fleet_api_integration/apis/fleet_setup.ts | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/fleet/server/services/api_keys/index.ts b/x-pack/plugins/fleet/server/services/api_keys/index.ts index 906bedb3f90c9..5ad84322cc69d 100644 --- a/x-pack/plugins/fleet/server/services/api_keys/index.ts +++ b/x-pack/plugins/fleet/server/services/api_keys/index.ts @@ -23,7 +23,7 @@ export async function generateOutputApiKey( index: [ { names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['write', 'create_index', 'indices:admin/auto_create'], + privileges: ['auto_configure', 'create_doc', 'indices:admin/auto_create'], }, ], }, diff --git a/x-pack/plugins/fleet/server/services/setup.ts b/x-pack/plugins/fleet/server/services/setup.ts index 46daaad9e14b4..0887c6c28e8f8 100644 --- a/x-pack/plugins/fleet/server/services/setup.ts +++ b/x-pack/plugins/fleet/server/services/setup.ts @@ -193,7 +193,7 @@ async function putFleetRole(callCluster: CallESAsCurrentUser) { indices: [ { names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['write', 'create_index', 'indices:admin/auto_create'], + privileges: ['auto_configure', 'create_doc', 'indices:admin/auto_create'], }, ], }, diff --git a/x-pack/test/fleet_api_integration/apis/agents_setup.ts b/x-pack/test/fleet_api_integration/apis/agents_setup.ts index c4f115e4d0e01..27f7ea7b61306 100644 --- a/x-pack/test/fleet_api_integration/apis/agents_setup.ts +++ b/x-pack/test/fleet_api_integration/apis/agents_setup.ts @@ -61,7 +61,7 @@ export default function (providerContext: FtrProviderContext) { indices: [ { names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['write', 'create_index', 'indices:admin/auto_create'], + privileges: ['auto_configure', 'create_doc', 'indices:admin/auto_create'], allow_restricted_indices: false, }, ], diff --git a/x-pack/test/fleet_api_integration/apis/fleet_setup.ts b/x-pack/test/fleet_api_integration/apis/fleet_setup.ts index a5a4db491e0ae..55e759466a3b8 100644 --- a/x-pack/test/fleet_api_integration/apis/fleet_setup.ts +++ b/x-pack/test/fleet_api_integration/apis/fleet_setup.ts @@ -95,7 +95,7 @@ export default function (providerContext: FtrProviderContext) { indices: [ { names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['write', 'create_index', 'indices:admin/auto_create'], + privileges: ['auto_configure', 'create_doc', 'indices:admin/auto_create'], allow_restricted_indices: false, }, ], From 070fe275c89f37ff0be463c33dbfca7b01bbaaac Mon Sep 17 00:00:00 2001 From: Sonja Krause-Harder Date: Wed, 10 Feb 2021 16:18:30 +0100 Subject: [PATCH 4/4] Remove indices:admin/auto_create from privileges. --- x-pack/plugins/fleet/server/services/api_keys/index.ts | 2 +- x-pack/plugins/fleet/server/services/setup.ts | 2 +- x-pack/test/fleet_api_integration/apis/agents_setup.ts | 2 +- x-pack/test/fleet_api_integration/apis/fleet_setup.ts | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/fleet/server/services/api_keys/index.ts b/x-pack/plugins/fleet/server/services/api_keys/index.ts index 5ad84322cc69d..911cb700dd56b 100644 --- a/x-pack/plugins/fleet/server/services/api_keys/index.ts +++ b/x-pack/plugins/fleet/server/services/api_keys/index.ts @@ -23,7 +23,7 @@ export async function generateOutputApiKey( index: [ { names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['auto_configure', 'create_doc', 'indices:admin/auto_create'], + privileges: ['auto_configure', 'create_doc'], }, ], }, diff --git a/x-pack/plugins/fleet/server/services/setup.ts b/x-pack/plugins/fleet/server/services/setup.ts index 0887c6c28e8f8..6c8f24e799574 100644 --- a/x-pack/plugins/fleet/server/services/setup.ts +++ b/x-pack/plugins/fleet/server/services/setup.ts @@ -193,7 +193,7 @@ async function putFleetRole(callCluster: CallESAsCurrentUser) { indices: [ { names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['auto_configure', 'create_doc', 'indices:admin/auto_create'], + privileges: ['auto_configure', 'create_doc'], }, ], }, diff --git a/x-pack/test/fleet_api_integration/apis/agents_setup.ts b/x-pack/test/fleet_api_integration/apis/agents_setup.ts index 27f7ea7b61306..20112afdf76a4 100644 --- a/x-pack/test/fleet_api_integration/apis/agents_setup.ts +++ b/x-pack/test/fleet_api_integration/apis/agents_setup.ts @@ -61,7 +61,7 @@ export default function (providerContext: FtrProviderContext) { indices: [ { names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['auto_configure', 'create_doc', 'indices:admin/auto_create'], + privileges: ['auto_configure', 'create_doc'], allow_restricted_indices: false, }, ], diff --git a/x-pack/test/fleet_api_integration/apis/fleet_setup.ts b/x-pack/test/fleet_api_integration/apis/fleet_setup.ts index 55e759466a3b8..31d620cd34931 100644 --- a/x-pack/test/fleet_api_integration/apis/fleet_setup.ts +++ b/x-pack/test/fleet_api_integration/apis/fleet_setup.ts @@ -95,7 +95,7 @@ export default function (providerContext: FtrProviderContext) { indices: [ { names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['auto_configure', 'create_doc', 'indices:admin/auto_create'], + privileges: ['auto_configure', 'create_doc'], allow_restricted_indices: false, }, ],