Skip to content

[Fleet] Add permissions to kibana_system to write logs-elastic_agent.status_change-* data stream #129191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 16, 2025
Merged

[Fleet] Add permissions to kibana_system to write logs-elastic_agent.status_change-* data stream #129191

merged 5 commits into from
Jun 16, 2025

Conversation

@juliaElastic
Copy link
Contributor

@juliaElastic juliaElastic commented Jun 10, 2025

Closes https://github.com/elastic/ingest-dev/issues/5634

Add permissions to kibana_system to write logs-elastic_agent.status_change-* data stream.
Required for a new feature to write Agent status to a new data stream for alerting.

  • Have you signed the contributor license agreement? yes
  • Have you followed the contributor guidelines? yes
  • If submitting code, have you built your formula locally prior to submission with gradle check? yes
  • If submitting code, is your pull request against main? Unless there is a good reason otherwise, we prefer pull requests against main and will backport as needed. yes
  • If submitting code, have you checked that your submission is for an OS and architecture that we support? yes
  • If you are submitting this code for a class then read our policy for that.

@juliaElastic juliaElastic requested a review from a team as a code owner June 10, 2025 12:36
@juliaElastic juliaElastic self-assigned this Jun 10, 2025
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Jun 10, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jun 10, 2025

Pinging @elastic/es-core-infra (Team:Core/Infra)

@elasticsearchmachine elasticsearchmachine added v9.1.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Jun 10, 2025
azasypkin
azasypkin reviewed Jun 12, 2025
View reviewed changes
...va/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
.allowRestrictedIndices(true)
.build(),
// Fleet writes to this datastream for Agent status alerting feature
RoleDescriptor.IndicesPrivileges.builder().indices("logs-elastic_agent.status_change-*").privileges("all").build(),
Copy link
Member

@azasypkin azasypkin Jun 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

questions:

  1. Is the functionality that relies on this permission available in all our offerings (on-prem, ECH, Serverless)?
  2. Are you planning to backport this change to 8.x?
  3. The linked issue says that user needs permissions to **write**, do we really need all here or we can just use write?

Copy link
Contributor Author

@juliaElastic juliaElastic Jun 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Yes
  2. No, this feature is planned for 9.2
  3. We need all to include creating/deleting/managing the data stream too.

azasypkin
azasypkin approved these changes Jun 16, 2025
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for answering clarifying questions and updating the kibana_system privileges spreadsheet.

@juliaElastic juliaElastic merged commit b517bc7 into elastic:main Jun 16, 2025
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azasypkin azasypkin azasypkin approved these changes

Assignees

@juliaElastic juliaElastic

Labels

:Core/Infra/Plugins Plugin API and infrastructure external-contributor Pull request authored by a developer outside the Elasticsearch team >non-issue Team:Core/Infra Meta label for core/infra team Team:Fleet v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@juliaElastic @elasticsearchmachine @azasypkin