Skip to content

[Fleet] manage_ccr privilege to kibana_system #129915

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Fleet] manage_ccr privilege to kibana_system #129915

wants to merge 1 commit into from

Conversation

@juliaElastic
Copy link
Contributor

@juliaElastic juliaElastic commented Jun 24, 2025

Relates elastic/kibana#221277

Fleet sync integrations feature might fail with retention leases error. To fix this automatically, Fleet needs manage_ccr privilege to recreate the follower index.

  • Have you signed the contributor license agreement? yes
  • Have you followed the contributor guidelines? yes
  • If submitting code, have you built your formula locally prior to submission with gradle check? yes
  • If submitting code, is your pull request against main? Unless there is a good reason otherwise, we prefer pull requests against main and will backport as needed. yes
  • If submitting code, have you checked that your submission is for an OS and architecture that we support? yes
  • If you are submitting this code for a class then read our policy for that.

@juliaElastic juliaElastic requested a review from a team as a code owner June 24, 2025 12:43
@juliaElastic juliaElastic added >non-issue :Core/Infra/Plugins Plugin API and infrastructure Team:Core/Infra Meta label for core/infra team Team:Fleet v9.1.0 labels Jun 24, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jun 24, 2025

Pinging @elastic/es-core-infra (Team:Core/Infra)

@elasticsearchmachine elasticsearchmachine added the external-contributor Pull request authored by a developer outside the Elasticsearch team label Jun 24, 2025
@juliaElastic juliaElastic mentioned this pull request Jun 24, 2025
Closed
1 task
legrego
legrego reviewed Jun 24, 2025
View reviewed changes
Copy link
Member

@legrego legrego left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading through elastic/kibana#221277, it seems like the conditions necessary to trigger this scenario are quite rare.

I am all for improving the UX in this scenario, but granting manage_ccr to the Kibana system user for the sole purpose of autocorrecting a rare condition does not feel like the right tradeoff.

What alternatives have we explored?

@juliaElastic
Copy link
Contributor Author

juliaElastic commented Jun 24, 2025

Reading through elastic/kibana#221277, it seems like the conditions necessary to trigger this scenario are quite rare.

I am all for improving the UX in this scenario, but granting manage_ccr to the Kibana system user for the sole purpose of autocorrecting a rare condition does not feel like the right tradeoff.

What alternatives have we explored?

We have a knowledge article to advise users to fix this scenario manually: https://support.elastic.dev/knowledge/view/6efaa9e7

I'm not aware of a way to prevent this error altogether.

I understand that it looks like an overkill to grant manage_ccr just to fix a rare error scenario. We can probably park this change for now and revisit later if we get a lot of SDHs. cc @kpollich

@legrego
Copy link
Member

legrego commented Jun 24, 2025

@juliaElastic @kpollich Could we instead present a screen to an administrator, asking them to click a button to repair this? With that approach, we can rely on the administrator's privileges, rather than augmenting our system privileges.

@kpollich
Copy link
Member

kpollich commented Jun 24, 2025

I understand that it looks like an overkill to grant manage_ccr just to fix a rare error scenario. We can probably park this change for now and revisit later if we get a lot of SDHs. cc @kpollich

+1 from me.

The KB article is great, but we should document this publicly in a troubleshooting doc as well. I think this is rare enough that a manual workaround is acceptable.

@juliaElastic @kpollich Could we instead present a screen to an administrator, asking them to click a button to repair this? With that approach, we can rely on the administrator's privileges, rather than augmenting our system privileges.

This is a reasonable suggestion, but I think even putting a screen like this together is probably more effort that this rare edge case error requires. I'd rather start with public docs and revisit this with something more robust if we see support noise.

@juliaElastic
Copy link
Contributor Author

juliaElastic commented Jun 24, 2025

Okay, thanks for the feedback. I'll close this pr for now.

@juliaElastic juliaElastic mentioned this pull request Jun 25, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@legrego legrego legrego left review comments

Assignees

No one assigned

Labels

:Core/Infra/Plugins Plugin API and infrastructure external-contributor Pull request authored by a developer outside the Elasticsearch team >non-issue Team:Core/Infra Meta label for core/infra team Team:Fleet v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@juliaElastic @elasticsearchmachine @legrego @kpollich