Skip to content

Commit 98b1435

Browse files
cauemarcondescauemarcondes
committed
Remove apm_user role
1 parent 799e1a7 commit 98b1435

File tree

3 files changed

+0
-149
lines changed

3 files changed

+0
-149
lines changed

docs/reference/security/authorization/built-in-roles.asciidoc

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,6 @@ roles have a fixed set of privileges and cannot be updated.
1414
Grants access necessary for the APM system user to send system-level data
1515
(such as monitoring) to {es}.
1616

17-
[[built-in-roles-apm-user]] `apm_user` ::
18-
Grants the privileges required for APM users (such as `read` and
19-
`view_index_metadata` privileges on the `apm-*` and `.ml-anomalies*` indices).
20-
deprecated:[7.13.0,"See {kibana-ref}/apm-app-users.html[APM app users and privileges\] for alternatives."].
21-
2217
[[built-in-roles-beats-admin]] `beats_admin` ::
2318
Grants access to the `.management-beats` index, which contains configuration
2419
information for the Beats.

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

Lines changed: 0 additions & 61 deletions
Original file line numberDiff line numberDiff line change
@@ -402,67 +402,6 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
402402
"Grants access necessary for the APM system user to send system-level data (such as monitoring) to Elasticsearch.\n"
403403
)
404404
),
405-
entry(
406-
"apm_user",
407-
new RoleDescriptor(
408-
"apm_user",
409-
null,
410-
new RoleDescriptor.IndicesPrivileges[] {
411-
// Self managed APM Server
412-
// Can be removed in 8.0
413-
RoleDescriptor.IndicesPrivileges.builder().indices("apm-*").privileges("read", "view_index_metadata").build(),
414-
415-
// APM Server under fleet (data streams)
416-
RoleDescriptor.IndicesPrivileges.builder().indices("logs-apm.*").privileges("read", "view_index_metadata").build(),
417-
RoleDescriptor.IndicesPrivileges.builder().indices("logs-apm-*").privileges("read", "view_index_metadata").build(),
418-
RoleDescriptor.IndicesPrivileges.builder()
419-
.indices("metrics-apm.*")
420-
.privileges("read", "view_index_metadata")
421-
.build(),
422-
RoleDescriptor.IndicesPrivileges.builder()
423-
.indices("metrics-apm-*")
424-
.privileges("read", "view_index_metadata")
425-
.build(),
426-
RoleDescriptor.IndicesPrivileges.builder()
427-
.indices("traces-apm.*")
428-
.privileges("read", "view_index_metadata")
429-
.build(),
430-
RoleDescriptor.IndicesPrivileges.builder()
431-
.indices("traces-apm-*")
432-
.privileges("read", "view_index_metadata")
433-
.build(),
434-
435-
// Machine Learning indices. Only needed for legacy reasons
436-
// Can be removed in 8.0
437-
RoleDescriptor.IndicesPrivileges.builder()
438-
.indices(".ml-anomalies*")
439-
.privileges("read", "view_index_metadata")
440-
.build(),
441-
442-
// Annotations
443-
RoleDescriptor.IndicesPrivileges.builder()
444-
.indices("observability-annotations")
445-
.privileges("read", "view_index_metadata")
446-
.build() },
447-
new RoleDescriptor.ApplicationResourcePrivileges[] {
448-
RoleDescriptor.ApplicationResourcePrivileges.builder()
449-
.application("kibana-*")
450-
.resources("*")
451-
.privileges("reserved_ml_apm_user")
452-
.build() },
453-
null,
454-
null,
455-
MetadataUtils.getDeprecatedReservedMetadata(
456-
"This role will be removed in a future major release. Please use editor and viewer roles instead"
457-
),
458-
null,
459-
null,
460-
null,
461-
null,
462-
"Grants the privileges required for APM users (such as read and view_index_metadata privileges "
463-
+ "on the apm-* and .ml-anomalies* indices)."
464-
)
465-
),
466405
entry(
467406
"inference_admin",
468407
new RoleDescriptor(

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

Lines changed: 0 additions & 83 deletions
Original file line numberDiff line numberDiff line change
@@ -3058,89 +3058,6 @@ public void testAPMSystemRole() {
30583058
assertNoAccessAllowed(APMSystemRole, XPackPlugin.ASYNC_RESULTS_INDEX + randomAlphaOfLengthBetween(0, 2));
30593059
}
30603060

3061-
public void testAPMUserRole() {
3062-
final TransportRequest request = mock(TransportRequest.class);
3063-
final Authentication authentication = AuthenticationTestHelper.builder().build();
3064-
3065-
final RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("apm_user");
3066-
assertNotNull(roleDescriptor);
3067-
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
3068-
3069-
final String allowedApplicationActionPattern = "example/custom/action/*";
3070-
final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana");
3071-
Role role = Role.buildFromRoleDescriptor(
3072-
roleDescriptor,
3073-
new FieldPermissionsCache(Settings.EMPTY),
3074-
RESTRICTED_INDICES,
3075-
List.of(
3076-
new ApplicationPrivilegeDescriptor(
3077-
kibanaApplicationWithRandomIndex,
3078-
"reserved_ml_apm_user",
3079-
Set.of(allowedApplicationActionPattern),
3080-
Map.of()
3081-
)
3082-
)
3083-
);
3084-
3085-
assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false));
3086-
assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 12)), is(false));
3087-
3088-
assertNoAccessAllowed(role, "foo");
3089-
assertNoAccessAllowed(role, "foo-apm");
3090-
assertNoAccessAllowed(role, "foo-logs-apm.bar");
3091-
assertNoAccessAllowed(role, "foo-logs-apm-bar");
3092-
assertNoAccessAllowed(role, "foo-traces-apm.bar");
3093-
assertNoAccessAllowed(role, "foo-traces-apm-bar");
3094-
assertNoAccessAllowed(role, "foo-metrics-apm.bar");
3095-
assertNoAccessAllowed(role, "foo-metrics-apm-bar");
3096-
3097-
assertOnlyReadAllowed(role, "logs-apm." + randomIntBetween(0, 5));
3098-
assertOnlyReadAllowed(role, "logs-apm-" + randomIntBetween(0, 5));
3099-
assertOnlyReadAllowed(role, "traces-apm." + randomIntBetween(0, 5));
3100-
assertOnlyReadAllowed(role, "traces-apm-" + randomIntBetween(0, 5));
3101-
assertOnlyReadAllowed(role, "metrics-apm." + randomIntBetween(0, 5));
3102-
assertOnlyReadAllowed(role, "metrics-apm-" + randomIntBetween(0, 5));
3103-
assertOnlyReadAllowed(role, "apm-" + randomIntBetween(0, 5));
3104-
assertOnlyReadAllowed(role, AnomalyDetectorsIndexFields.RESULTS_INDEX_PREFIX + AnomalyDetectorsIndexFields.RESULTS_INDEX_DEFAULT);
3105-
3106-
assertOnlyReadAllowed(role, "observability-annotations");
3107-
3108-
assertThat(
3109-
role.application().grants(ApplicationPrivilegeTests.createPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"),
3110-
is(false)
3111-
);
3112-
assertThat(
3113-
role.application()
3114-
.grants(
3115-
ApplicationPrivilegeTests.createPrivilege(
3116-
kibanaApplicationWithRandomIndex,
3117-
"app-reserved_ml_apm_user",
3118-
allowedApplicationActionPattern
3119-
),
3120-
"*"
3121-
),
3122-
is(true)
3123-
);
3124-
3125-
final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24);
3126-
assertThat(
3127-
role.application().grants(ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-foo", "foo"), "*"),
3128-
is(false)
3129-
);
3130-
assertThat(
3131-
role.application()
3132-
.grants(
3133-
ApplicationPrivilegeTests.createPrivilege(
3134-
otherApplication,
3135-
"app-reserved_ml_apm_user",
3136-
allowedApplicationActionPattern
3137-
),
3138-
"*"
3139-
),
3140-
is(false)
3141-
);
3142-
}
3143-
31443061
public void testMachineLearningAdminRole() {
31453062
final TransportRequest request = mock(TransportRequest.class);
31463063
final Authentication authentication = AuthenticationTestHelper.builder().build();

0 commit comments

Comments
 (0)