[Fleet] added privileges for fleet-synced-integrations
#121753
Conversation
elasticsearchmachine
added
v9.1.0
needs:triage
juliaElastic
added
>non-issue
:Core/Infra/Plugins
elasticsearchmachine
removed
the
needs:triage
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
| RoleDescriptor.IndicesPrivileges.builder().indices("logs-fleet_server*").privileges("read", "delete_index").build(), | ||
| // Fleet creates and writes this index for sync integrations feature | ||
| RoleDescriptor.IndicesPrivileges.builder() | ||
| .indices("fleet-synced-integrations") |
There was a problem hiding this comment.
Heya @juliaElastic! Is there a reason to move away from the usual .fleet-* system indices? Making it a "data index" could have collisions with customer indices.
There was a problem hiding this comment.
It is because we are building a feature where this index has to be replicated with CCR to remote clusters, so it can't be a system index.
There was a problem hiding this comment.
Sorry for the delay!
To proceed with this change would you please update the PR description with a Reason section stating your requirement above.
And would you also be able to update this document to include this new index in the Avoid index pattern collisions section: https://www.elastic.co/guide/en/elasticsearch/reference/current/index-templates.html
There was a problem hiding this comment.
Updated the PR description.
Do you know where to update the documentation, or is there an elasticsearch docs team to reach out to?
There was a problem hiding this comment.
Thanks for updating the description!
The docs are located in this (elasticsearch) repo: docs/reference/indices/index-templates.asciidoc
There was a problem hiding this comment.
Thanks, updated here: https://github.com/elastic/elasticsearch/pull/121753/files#diff-a3c27c5107ae1f4a617a6f0006307d2b2d4092f844a1e256e7019ccfc5bc21f8
It seems there is a documentation freeze: #121753 (comment)
This feature is for 9.1 the earliest, what should we do?
There was a problem hiding this comment.
Let's remove the docs from this PR and get these privileges merged to unblock the work.
Then create an issue to add the docs after the freeze is lifted in a few weeks.
There was a problem hiding this comment.
sorry for the confusion 😵💫
There was a problem hiding this comment.
thanks, reverted
added as a task here elastic/kibana#206237
|
the test failures don't seem to be related to the change, are they flaky? |
@elastic/es-security can you help us out? |
|
It looks like this PR modifies one or more |
This reverts commit b73bae8.
kc13greiner
left a comment
kc13greiner
left a comment
There was a problem hiding this comment.
LGTM!
Thanks for the info
## Summary Closes #206237 Create `fleet-synced-integrations` index in Fleet setup, added async task that populates the index with a doc that includes remote ES output data and installed integrations data. ES change to add `kibana_system` privileges: elastic/elasticsearch#121753 To test locally: - run elasticsearch from source to apply the privilege changes, so that `kibana_system` can create the index. ``` yarn es source -E xpack.security.authc.api_key.enabled=true -E xpack.security.authc.token.enabled=true --source-path=/Users/juliabardi/elasticsearch -E path.data=/tmp/es-data -E xpack.ml.enabled=false ``` - enable the feature flag in `kibana.dev.yml`: `xpack.fleet.enableExperimental: ['enableSyncIntegrationsOnRemote']` - add a remote ES output with sync enabled - install some integrations - wait until Fleet setup and the task runs - verify that the index is created and contains a doc with the expected data ``` GET fleet-synced-integrations/_search "hits": { "total": { "value": 1, "relation": "eq" }, "max_score": 1, "hits": [ { "_index": "fleet-synced-integrations", "_id": "fleet-synced-integrations", "_score": 1, "_source": { "remote_es_hosts": [ { "hosts": [ "http://remote1:80" ], "name": "remote1", "sync_integrations": true } ], "integrations": [ { "package_version": "1.64.1", "updated_at": "2025-02-05T11:03:02.226Z", "package_name": "system" } ] } } ] ``` ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]>
3 participants
Related to elastic/kibana#206237
Added
kibana_systemprivileges onfleet-synced-integrationsReason: we are building a feature where this index has to be replicated with CCR to remote clusters, so it can't be a system index.
gradle check? yes