-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new role to grant ISM API permissions #2553
Conversation
It's mapped to the kibanaserver internal user by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes seem good to me, but it is necessary to check the package build using Jenkins, please add the following builds
- A Packages_builder build for indexer RPM
- A Packages_builder build for indexer DEB
I do not see the checks shown in the PR as marked or done, where can I find the results?
Jenkins builds 🟢 |
RPM (upgrade)
curl -X GET "https://localhost:9200/_plugins/_ism/explain/wazuh-alerts-*?pretty" -k -u "kibanaserver:lJ*bN+3zkQ8MnMU2OyldZSKuuogq2ity"
{
"wazuh-alerts-4.x-2023.10.31-000001" : {
"index.plugins.index_state_management.policy_id" : "rollover_policy",
"index.opendistro.index_state_management.policy_id" : "rollover_policy",
"index" : "wazuh-alerts-4.x-2023.10.31-000001",
"index_uuid" : "Tfr2hV5iRGSBDl8lKfsTIg",
"policy_id" : "rollover_policy",
"policy_seq_no" : -2,
"policy_primary_term" : 0,
"rolled_over" : false,
"index_creation_date" : 1698775149755,
"state" : {
"name" : "active",
"start_time" : 1698775563752
},
"action" : {
"name" : "rollover",
"start_time" : 1698775820540,
"index" : 0,
"failed" : false,
"consumed_retries" : 0,
"last_retry_time" : 0
},
"step" : {
"name" : "attempt_rollover",
"start_time" : 1698775820540,
"step_status" : "condition_not_met"
},
"retry_info" : {
"failed" : false,
"consumed_retries" : 0
},
"info" : {
"message" : "Pending rollover of index [index=wazuh-alerts-4.x-2023.10.31-000001]",
"conditions" : {
"min_primary_shard_size" : {
"condition" : "25gb",
"current" : "186.2kb",
"shard" : 0
},
"min_index_age" : {
"condition" : "7d",
"current" : "5.9d",
"creationDate" : 1698775149755
},
"min_doc_count" : {
"condition" : 200000000,
"current" : 181
}
}
},
"enabled" : true
},
"total_managed_indices" : 1
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Please be aware that these changes may affect the DevOps deployments, please check it with @wazuh/cicd
Description
A new role has been added to grant ISM API permissions, required by the app to upload the ISM policy for auto-rollover. It's mapped to the
kibanaserver
internal user by default.A new file has been created:
action_groups.yml
, used to group all permissions required by the ISM API.Tests
Check the following:
manage_ism
action group is created in a fresh installation or upgrade.manage_ism
action group can be used in other roles.manage_ism
role is created in a fresh installation or upgrade.manage_ism
role uses themanage_ism
action group as cluster permissions.manage_ism
role is mapped to thekibanaserver
internal user.manage_ism
role can be mapped to other users.kibanaserver
user (or any other with themanage_ism
role)