Skip to content

[Cloud Security Posture] fix ilm deletion step error permissions #128634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 23, 2025
Merged

[Cloud Security Posture] fix ilm deletion step error permissions #128634

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cb24a02
fix ilm deletion step policy
Omolola-Akinleye May 29, 2025
3c68417
[CI] Auto commit changes from spotless
May 29, 2025
0e59310
Merge branch 'main' into fix-delete-step-ilm-permission
Omolola-Akinleye Jun 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions ...org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -473,6 +473,9 @@ static RoleDescriptor kibanaSystem(String name) {
"read",
"index",
"delete",

// Require "delete_index" to perform ILM policy actions
TransportDeleteIndexAction.TYPE.name(),
Copy link

@jeramysoucy jeramysoucy May 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my own knowledge, is this different from the delete_index named privilege?

It might be my limited understanding of the issue and how we manage these indices, but...

  • do we need delete_index also on the above indices (logs-cloud_security_posture.findings-*)?
  • and should we really be applying the same privileges to vulnerabilities_latest-default* here? Or is this unnecessary?

Copy link
Contributor Author

@Omolola-Akinleye Omolola-Akinleye Jun 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need delete_index also on the above indices (logs-cloud_security_posture.findings-*)?

For index privilege i see TransportDeleteIndexAction.TYPE.name() will have admin:delete action

and should we really be applying the same privileges to vulnerabilities_latest-default* here? Or is this unnecessary?

That good point! We should have privleges for vulnerabilities_latest-default* and logs-cloud_security_posture.findings-*

Copy link

@jeramysoucy jeramysoucy Jun 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for double checking and confirming!

"manage",
TransportIndicesAliasesAction.NAME,
TransportUpdateSettingsAction.TYPE.name()
Expand All @@ -487,6 +490,8 @@ static RoleDescriptor kibanaSystem(String name) {
"read",
"index",
"delete",
// Require "delete_index" to perform ILM policy actions
TransportDeleteIndexAction.TYPE.name(),
TransportIndicesAliasesAction.NAME,
TransportUpdateSettingsAction.TYPE.name(),
TransportAutoPutMappingAction.TYPE.name()
Expand Down
1 change: 1 addition & 0 deletions .../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1740,6 +1740,7 @@ public void testKibanaSystemRole() {
kibanaRole.indices().allowedIndicesMatcher(TransportUpdateSettingsAction.TYPE.name()).test(indexAbstraction),
is(true)
);
assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportDeleteIndexAction.TYPE.name()).test(indexAbstraction), is(true));

// Implied by the overall view_index_metadata and monitor privilege
assertViewIndexMetadata(kibanaRole, indexName);
Expand Down