Skip to content

[Cloud Security Posture] fix ilm deletion step error permissions #128634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 23, 2025
Merged

[Cloud Security Posture] fix ilm deletion step error permissions #128634

merged 3 commits into from
Jun 23, 2025

Conversation

@Omolola-Akinleye
Copy link
Contributor

@Omolola-Akinleye Omolola-Akinleye commented May 29, 2025
edited
Loading

SDH Ticket Cannot execute ILM policy delete step on CSPM findings logs was created a few weeks ago. Discussion Thread between product manager, engineering and sdh engineer on two proposed solutions:

  • Solution: Update the datastream index with delete_index privileges for logs-cloud_security_posture.-* to prevent deletion phase execution error when the logs-cloud_security_posture.-*` exceeds the retention period(180 days). There are also has been similar SDH Cannot execute ILM policy delete step with elevated deleted privileges on Endpoint/APM data streams.

This PR focuses on the add the logs-cloud_security_posture.-* index under the kibana_system role with delete_index privilege to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle.

{
"failed_step": "delete",
"step_info": {
"type": "security_exception",
"reason": "action [indices:admin/delete] is unauthorized for user [kibana_system] with effective roles [kibana_system] on indices [.ds-logs-cloud_security_posture.findings-default-2024.03.15-000001], this action is granted by the index privileges [delete_index,manage,all]"
}
}

@Omolola-Akinleye Omolola-Akinleye requested a review from a team as a code owner May 29, 2025 18:51
@elasticsearchmachine elasticsearchmachine added v9.1.0 needs:triage Requires assignment of a team area label external-contributor Pull request authored by a developer outside the Elasticsearch team labels May 29, 2025
@Omolola-Akinleye Omolola-Akinleye added the Team:Cloud Security Meta label for Cloud Security team label May 29, 2025
@elasticsearchmachine elasticsearchmachine removed the needs:triage Requires assignment of a team area label label May 29, 2025
@Omolola-Akinleye Omolola-Akinleye linked an issue May 29, 2025 that may be closed by this pull request
[Security Solution][CSPM][Fleet] Cannot execute ILM policy delete step on CSPM findings logs elastic/kibana#197390
Closed
@Omolola-Akinleye Omolola-Akinleye added needs:triage Requires assignment of a team area label v8.19.0 :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC >bug and removed needs:triage Requires assignment of a team area label external-contributor Pull request authored by a developer outside the Elasticsearch team labels May 29, 2025
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label May 29, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented May 29, 2025

Pinging @elastic/es-security (Team:Security)

@Omolola-Akinleye Omolola-Akinleye added auto-backport Automatically create backport pull requests when merged backport labels May 29, 2025
jeramysoucy
jeramysoucy reviewed May 30, 2025
View reviewed changes
...va/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
"index",
"delete",
// Require "delete_index" to perform ILM policy actions
TransportDeleteIndexAction.TYPE.name(),
Copy link

@jeramysoucy jeramysoucy May 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my own knowledge, is this different from the delete_index named privilege?

It might be my limited understanding of the issue and how we manage these indices, but...

  • do we need delete_index also on the above indices (logs-cloud_security_posture.findings-*)?
  • and should we really be applying the same privileges to vulnerabilities_latest-default* here? Or is this unnecessary?

Copy link
Contributor Author

@Omolola-Akinleye Omolola-Akinleye Jun 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need delete_index also on the above indices (logs-cloud_security_posture.findings-*)?

For index privilege i see TransportDeleteIndexAction.TYPE.name() will have admin:delete action

and should we really be applying the same privileges to vulnerabilities_latest-default* here? Or is this unnecessary?

That good point! We should have privleges for vulnerabilities_latest-default* and logs-cloud_security_posture.findings-*

Copy link

@jeramysoucy jeramysoucy Jun 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for double checking and confirming!

@Omolola-Akinleye Omolola-Akinleye requested a review from CohenIdo June 3, 2025 19:26
jeramysoucy
jeramysoucy approved these changes Jun 4, 2025
View reviewed changes
...va/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
"index",
"delete",
// Require "delete_index" to perform ILM policy actions
TransportDeleteIndexAction.TYPE.name(),
Copy link

@jeramysoucy jeramysoucy Jun 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for double checking and confirming!

@Omolola-Akinleye Omolola-Akinleye enabled auto-merge (squash) June 23, 2025 15:21
@Omolola-Akinleye Omolola-Akinleye merged commit ded666e into elastic:main Jun 23, 2025
38 checks passed
mridula-s109 pushed a commit to mridula-s109/elasticsearch that referenced this pull request Jun 25, 2025
@Omolola-Akinleye @mridula-s109
[Cloud Security Posture] fix ilm deletion step error permissions (ela…
b0e7503 
…stic#128634)

* fix ilm deletion step policy

* [CI] Auto commit changes from spotless

---------

Co-authored-by: elasticsearchmachine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeramysoucy jeramysoucy jeramysoucy approved these changes

@CohenIdo CohenIdo Awaiting requested review from CohenIdo

Assignees

No one assigned

Labels

auto-backport Automatically create backport pull requests when merged backport >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Cloud Security Meta label for Cloud Security team Team:Security Meta label for security team v8.19.0 v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security Solution][CSPM][Fleet] Cannot execute ILM policy delete step on CSPM findings logs

3 participants

@Omolola-Akinleye @elasticsearchmachine @jeramysoucy