Skip to content

Add view_index_matadata connector permission for fleet-server account #113262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 23, 2024
Merged

Add view_index_matadata connector permission for fleet-server account #113262

merged 2 commits into from
Sep 23, 2024

Conversation

jedrazb
Copy link
Member

@jedrazb jedrazb commented Sep 20, 2024

Changes

See #112556 for details.

Add permissions to fleet-server service account to enable running elastic/connectors as an integration.

Fleet service service account owns and generates api keys that are used by integrations (components) enrolled in fleet. Connectors are (soon) an integrations that can be deployed in agentless to offer Elastic-managed ingestion story.

When changing from read,write,manage to more granular permissions I missed view_index_metadata.

This allows the connector service to call GET {index}, without this permission content sync would fail. (I somehow missed that during testing of the last PR...)

Validation

Tested locally with view_index_metadata permission added to fleet-server service account. Performed full content sync with updated permission model.

@jedrazb jedrazb added >non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team Team:Fleet :SearchOrg/Extract&Transform Label for the Search E&T team Team:Search - Extract & Transform v9.0.0 labels Sep 20, 2024
@github-actions GitHub Actions
Copy link
Contributor

Documentation preview:

@jedrazb jedrazb changed the title Add view_index_matadata to fleet-server for elastic_connetors package Add view_index_matadata connector permission for fleet-server account Sep 20, 2024
@jedrazb jedrazb marked this pull request as ready for review September 20, 2024 11:57
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine added the Team:SearchOrg Meta label for the Search Org (Enterprise Search) label Sep 20, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/ingestion-team (Team:Search - Extract & Transform)

@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/ent-search-eng (Team:SearchOrg)

@jedrazb
Copy link
Member Author

jedrazb commented Sep 20, 2024

@elasticsearchmachine run buildkite/docs-build-pr

@jedrazb
Copy link
Member Author

jedrazb commented Sep 20, 2024

@elasticmachine run buildkite/docs-build-pr

@jedrazb jedrazb merged commit ce79fa4 into elastic:main Sep 23, 2024
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seanstory seanstory seanstory approved these changes

@nchaulet nchaulet Awaiting requested review from nchaulet

Assignees

No one assigned

Labels

>non-issue :SearchOrg/Extract&Transform Label for the Search E&T team :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Fleet Team:Search - Extract & Transform Team:SearchOrg Meta label for the Search Org (Enterprise Search) Team:Security Meta label for security team v9.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jedrazb @elasticsearchmachine @seanstory