Skip to content

Give the kibana system user permission to read security entities #114363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 10, 2024
Merged

Give the kibana system user permission to read security entities #114363

merged 4 commits into from
Oct 10, 2024

Conversation

@hop-dev
Copy link
Contributor

@hop-dev hop-dev commented Oct 8, 2024
edited
Loading

As part of the entity store feature we need the Kibana system user to be able to read entity store entities.

What is the entity store?

The entity store is a new security feature which extracts entities (hosts & users) from logs and metrics data.

The documents in the .entities.v1.latest.security* index each represent an entity extracted from event data, properties are added as we see them over time, for example for a host we store ip, mac, and OS information, for a user we store things like email, name, roles.

Why does Kibana system need read access?

Primarily in 8.16.0 we need read access in order to execute an enrich policy on a regular basis as part of our architecture.

But going forward we will be building experiences on top of the entities index, for example the Kibana system user will read the entities index in order to perform risk scoring on the entities.

@hop-dev hop-dev self-assigned this Oct 8, 2024
@elasticsearchmachine
Copy link
Collaborator

@hop-dev please enable the option "Allow edits and access to secrets by maintainers" on your PR. For more information, see the documentation.

@elasticsearchmachine elasticsearchmachine added external-contributor Pull request authored by a developer outside the Elasticsearch team v9.0.0 labels Oct 8, 2024
@hop-dev hop-dev added v8.16.0 and removed external-contributor Pull request authored by a developer outside the Elasticsearch team labels Oct 8, 2024
@hop-dev hop-dev marked this pull request as ready for review October 8, 2024 20:14
@hop-dev hop-dev requested a review from a team as a code owner October 8, 2024 20:14
@elasticsearchmachine elasticsearchmachine added the needs:triage Requires assignment of a team area label label Oct 8, 2024
@hop-dev hop-dev added >enhancement Team:Security Meta label for security team labels Oct 8, 2024
@elasticsearchmachine elasticsearchmachine removed the Team:Security Meta label for security team label Oct 8, 2024
@hop-dev hop-dev added the :Core/Infra/Core Core issues without another label label Oct 9, 2024
@elasticsearchmachine elasticsearchmachine added Team:Core/Infra Meta label for core/infra team and removed needs:triage Requires assignment of a team area label labels Oct 9, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@elasticsearchmachine
Copy link
Collaborator

Hi @hop-dev, I've created a changelog YAML for you.

@hop-dev
Copy link
Contributor Author

hop-dev commented Oct 9, 2024

@elasticsearchmachine merge upstream

@hop-dev
Copy link
Contributor Author

hop-dev commented Oct 9, 2024

@elasticmachine merge upstream

@kkrik-es kkrik-es mentioned this pull request Oct 9, 2024
Merged
@kkrik-es
Copy link
Contributor

kkrik-es commented Oct 9, 2024

Oops this was unintended, apologies.

@kkrik-es kkrik-es reopened this Oct 9, 2024
@azasypkin
Copy link
Member

Hey @hop-dev,

Would you mind updating PR description with more details about the requirements behind this change?

  • Why do we need to make this change exactly? What part of Kibana will be leveraging this permission?
  • Do you have any discussion or issue you could link to from this PR?
  • What does create this index and ingest data to it?
  • Is it a system or hidden index?
  • What kind of data is stored in this index?

The more details, the better. Thanks!

@hop-dev
Copy link
Contributor Author

hop-dev commented Oct 9, 2024

@azasypkin I've updated the description, let me know if you need any more info.

@hop-dev
Copy link
Contributor Author

hop-dev commented Oct 9, 2024

@elasticmachine merge upstream

azasypkin
azasypkin approved these changes Oct 10, 2024
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@azasypkin I've updated the description, let me know if you need any more info.

That’s super helpful, @hop-dev, thanks! One last question - are these indices created with hidden: true?

@hop-dev
Copy link
Contributor Author

hop-dev commented Oct 10, 2024

@azasypkin they currently are not, but I have been thinking we should hide them because of the dot prefix, why do you ask?

@azasypkin
Copy link
Member

@azasypkin they currently are not, but I have been thinking we should hide them because of the dot prefix, why do you ask?

Yeah, if we don’t want users to interact with these indices directly, then making them hidden or even system indices (depends on your requirements, a bit more involved, but much safer, see

elasticsearch/modules/kibana/src/main/java/org/elasticsearch/kibana/KibanaPlugin.java

Lines 25 to 53 in 430ec3b

public static final SystemIndexDescriptor KIBANA_INDEX_DESCRIPTOR = SystemIndexDescriptor.builder()
.setIndexPattern(".kibana_*")
.setDescription("Kibana saved objects system index")
.setAliasName(".kibana")
.setType(Type.EXTERNAL_UNMANAGED)
.setAllowedElasticProductOrigins(KIBANA_PRODUCT_ORIGIN)
.setAllowsTemplates()
.build();
public static final SystemIndexDescriptor REPORTING_INDEX_DESCRIPTOR = SystemIndexDescriptor.builder()
.setIndexPattern(".reporting-*")
.setDescription("system index for reporting")
.setType(Type.EXTERNAL_UNMANAGED)
.setAllowedElasticProductOrigins(KIBANA_PRODUCT_ORIGIN)
.build();
public static final SystemIndexDescriptor APM_AGENT_CONFIG_INDEX_DESCRIPTOR = SystemIndexDescriptor.builder()
.setIndexPattern(".apm-agent-configuration*")
.setDescription("system index for APM agent configuration")
.setType(Type.EXTERNAL_UNMANAGED)
.setAllowedElasticProductOrigins(KIBANA_PRODUCT_ORIGIN)
.build();
public static final SystemIndexDescriptor APM_CUSTOM_LINK_INDEX_DESCRIPTOR = SystemIndexDescriptor.builder()
.setIndexPattern(".apm-custom-link*")
.setDescription("system index for APM custom links")
.setType(Type.EXTERNAL_UNMANAGED)
.setAllowedElasticProductOrigins(KIBANA_PRODUCT_ORIGIN)
.build();
and

elasticsearch/x-pack/plugin/fleet/src/main/java/org/elasticsearch/xpack/fleet/Fleet.java

Lines 284 to 292 in 430ec3b

return new SystemDataStreamDescriptor(
".fleet-actions-results",
"Result history of fleet actions",
SystemDataStreamDescriptor.Type.EXTERNAL,
composableIndexTemplate,
Map.of(),
ALLOWED_PRODUCTS,
ExecutorNames.DEFAULT_SYSTEM_DATA_STREAM_THREAD_POOLS
);
) makes total sense to me.

@hop-dev
Copy link
Contributor Author

hop-dev commented Oct 10, 2024

Really appreciate the guidance, I'll look into it 👍

@hop-dev hop-dev merged commit cbd3613 into main Oct 10, 2024
17 checks passed
@hop-dev hop-dev deleted the security-entity-store-permissions branch October 10, 2024 09:34
@hop-dev hop-dev restored the security-entity-store-permissions branch October 10, 2024 09:34
@hop-dev hop-dev deleted the security-entity-store-permissions branch October 10, 2024 09:34
@hop-dev hop-dev added the auto-backport Automatically create backport pull requests when merged label Oct 10, 2024
@hop-dev hop-dev mentioned this pull request Oct 10, 2024
Merged
@hop-dev
Copy link
Contributor Author

hop-dev commented Oct 10, 2024

💚 All backports created successfully

Status Branch Result
8.x

Questions ?

Please refer to the Backport tool documentation

matthewabbott pushed a commit to matthewabbott/elasticsearch that referenced this pull request Oct 10, 2024
@hop-dev @elasticmachine @matthewabbott
Give the kibana system user permission to read security entities (ela…
8a8c63b 
…stic#114363)

* Give the kibana system user .entities read permissions

* Update docs/changelog/114363.yaml

---------

Co-authored-by: Elastic Machine <[email protected]>
hop-dev added a commit that referenced this pull request Oct 11, 2024
@hop-dev @elasticmachine
Give the kibana system user permission to read security entities (#11…
627ec9a 
…4363) (#114520)

* Give the kibana system user .entities read permissions

* Update docs/changelog/114363.yaml

---------

Co-authored-by: Elastic Machine <[email protected]>
(cherry picked from commit cbd3613)

# Conflicts:
#	x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java

Co-authored-by: Elastic Machine <[email protected]>
davidkyle pushed a commit to davidkyle/elasticsearch that referenced this pull request Oct 13, 2024
@hop-dev @elasticmachine @davidkyle
Give the kibana system user permission to read security entities (ela…
3d0bd11 
…stic#114363)

* Give the kibana system user .entities read permissions

* Update docs/changelog/114363.yaml

---------

Co-authored-by: Elastic Machine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azasypkin azasypkin azasypkin approved these changes

Assignees

@hop-dev hop-dev

Labels

auto-backport Automatically create backport pull requests when merged :Core/Infra/Core Core issues without another label >enhancement Team:Core/Infra Meta label for core/infra team v8.16.0 v9.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@hop-dev @elasticsearchmachine @kkrik-es @azasypkin @elasticmachine