Merge pull request #2553 from wazuh/2552-ism-rollover-add-role

Add new role to grant ISM API permissions
wazuh · Nov 7, 2023 · 07ff16d · 07ff16d
2 parents a024eff + 70d6b1e
commit 07ff16d
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 3 deletions.
diff --git a/stack/indexer/deb/debian/rules b/stack/indexer/deb/debian/rules
@@ -100,6 +100,7 @@ override_dh_install:
 	cp /root/documentation-templates/wazuh/config.yml $(TARGET_DIR)$(INSTALLATION_DIR)/plugins/opensearch-security/tools/config.yml
 
 	# Copy Wazuh's config files for the security plugin
+	cp -pr $(REPO_DIR)/config/indexer/roles/action_groups.yml $(TARGET_DIR)$(CONFIG_DIR)/opensearch-security/
 	cp -pr $(REPO_DIR)/config/indexer/roles/roles_mapping.yml $(TARGET_DIR)$(CONFIG_DIR)/opensearch-security/
 	cp -pr $(REPO_DIR)/config/indexer/roles/roles.yml $(TARGET_DIR)$(CONFIG_DIR)/opensearch-security/
 	cp -pr $(REPO_DIR)/config/indexer/roles/internal_users.yml $(TARGET_DIR)$(CONFIG_DIR)/opensearch-security/

diff --git a/stack/indexer/rpm/wazuh-indexer.spec b/stack/indexer/rpm/wazuh-indexer.spec
@@ -93,6 +93,7 @@ cp %{REPO_DIR}/wazuh-passwords-tool.sh ${RPM_BUILD_ROOT}%{INSTALL_DIR}/plugins/o
 cp /root/documentation-templates/wazuh/config.yml ${RPM_BUILD_ROOT}%{INSTALL_DIR}/plugins/opensearch-security/tools/config.yml
 
 # Copy Wazuh's config files for the security plugin
+cp %{REPO_DIR}/config/indexer/roles/action_groups.yml ${RPM_BUILD_ROOT}%{CONFIG_DIR}/opensearch-security
 cp %{REPO_DIR}/config/indexer/roles/internal_users.yml ${RPM_BUILD_ROOT}%{CONFIG_DIR}/opensearch-security
 cp %{REPO_DIR}/config/indexer/roles/roles.yml ${RPM_BUILD_ROOT}%{CONFIG_DIR}/opensearch-security
 cp %{REPO_DIR}/config/indexer/roles/roles_mapping.yml ${RPM_BUILD_ROOT}%{CONFIG_DIR}/opensearch-security

diff --git a/unattended_installer/config/indexer/roles/action_groups.yml b/unattended_installer/config/indexer/roles/action_groups.yml
@@ -0,0 +1,12 @@
+---
+_meta:
+  type: "actiongroups"
+  config_version: 2
+
+# ISM API permissions group
+manage_ism:
+  reserved: true
+  hidden: false
+  allowed_actions:
+  - "cluster:admin/opendistro/ism/*"
+  static: false
diff --git a/unattended_installer/config/indexer/roles/roles.yml b/unattended_installer/config/indexer/roles/roles.yml
@@ -146,4 +146,12 @@ manage_wazuh_index:
     - "manage"
     - "index"
   tenant_permissions: []
-  static: false
+  static: false
+
+# ISM API permissions role
+manage_ism:
+  reserved: true
+  hidden: false
+  cluster_permissions:
+  - "manage_ism"
+  static: false
diff --git a/unattended_installer/config/indexer/roles/roles_mapping.yml b/unattended_installer/config/indexer/roles/roles_mapping.yml
@@ -76,12 +76,19 @@ kibana_user:
   and_backend_roles: []
   description: "Maps kibanauser to kibana_user"
 
-  # Wazuh monitoring and statistics index permissions
+# Wazuh monitoring and statistics index permissions
 manage_wazuh_index:
   reserved: true
   hidden: false
   backend_roles: []
   hosts: []
   users:
   - "kibanaserver"
-  and_backend_roles: []
+  and_backend_roles: []
+
+# ISM API permissions role mapping
+manage_ism:
+  reserved: true
+  hidden: false
+  users:
+  - "kibanaserver"