Add read permissions for osquery manager result indices #130824
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
szwarckonrad
added
>enhancement
:Security/Security
|
Pinging @elastic/es-security (Team:Security) |
elasticsearchmachine
added
the
external-contributor
|
Hi @szwarckonrad, I've created a changelog YAML for you. |
szwarckonrad
added
the
cloud-deploy
SiddharthMantri
approved these changes
Jul 10, 2025
|
The privileges are being added for a data index that matches the known collision pattern |
szwarckonrad
added a commit
to elastic/kibana
that referenced
this pull request
Sep 10, 2025
# Add Namespace Awareness to Osquery Live Query and Action Results ## Dependencies Depends on elastic/elasticsearch#130824 ## Summary Adds namespace awareness to osquery live query and action results to ensure proper space isolation. Refactors frontend hooks to use API endpoints as a necessary step to implement server-side namespace filtering. **Removed constraint requiring user to have access to logs.osquery_manager.results-default index. Now user can use results index from any namespace** ## Changes Made ### Namespace Awareness Implementation - Added space-scoped integration namespace retrieval for osquery results - Enhanced DSL queries to support space-aware index patterns - Implemented proper space isolation to prevent cross-space data leakage - Extended `OsqueryAppContextService` with namespace-aware capabilities ### Frontend Hook Refactoring (Required for Namespace Support) - `use_all_results.ts`: Refactored to call API endpoint instead of direct search strategy - `use_action_results.ts`: Refactored to call new API endpoint instead of direct search strategy - Moved complex namespace logic to server-side for proper space isolation - Maintained backward compatibility for consuming components ### New API Infrastructure - Created `action_results/get_action_results_route.ts` endpoint with namespace support - Enhanced existing live query results endpoint with namespace filtering - Added proper request/response validation and route registration ### Server-Side Utilities - New utility: `get_integration_namespaces.ts` for space-scoped namespace retrieval - New utility: `build_index_name_with_namespace.ts` for consistent index pattern building - Enhanced action results DSL with `integrationNamespaces` parameter support - Improved live query results DSL namespace handling ### Elasticsearch: - Added `logs-osquery_manager.result-*` to `kibana_system` role so that we can use internal es client (which in the end uses user with `kibana_system` role) to query all indices but filter by user accessible namespaces in our own services. --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Tomasz Ciecierski <[email protected]>
eleonoramicozzi
pushed a commit
to eleonoramicozzi/kibana
that referenced
this pull request
Sep 10, 2025
…225617) # Add Namespace Awareness to Osquery Live Query and Action Results ## Dependencies Depends on elastic/elasticsearch#130824 ## Summary Adds namespace awareness to osquery live query and action results to ensure proper space isolation. Refactors frontend hooks to use API endpoints as a necessary step to implement server-side namespace filtering. **Removed constraint requiring user to have access to logs.osquery_manager.results-default index. Now user can use results index from any namespace** ## Changes Made ### Namespace Awareness Implementation - Added space-scoped integration namespace retrieval for osquery results - Enhanced DSL queries to support space-aware index patterns - Implemented proper space isolation to prevent cross-space data leakage - Extended `OsqueryAppContextService` with namespace-aware capabilities ### Frontend Hook Refactoring (Required for Namespace Support) - `use_all_results.ts`: Refactored to call API endpoint instead of direct search strategy - `use_action_results.ts`: Refactored to call new API endpoint instead of direct search strategy - Moved complex namespace logic to server-side for proper space isolation - Maintained backward compatibility for consuming components ### New API Infrastructure - Created `action_results/get_action_results_route.ts` endpoint with namespace support - Enhanced existing live query results endpoint with namespace filtering - Added proper request/response validation and route registration ### Server-Side Utilities - New utility: `get_integration_namespaces.ts` for space-scoped namespace retrieval - New utility: `build_index_name_with_namespace.ts` for consistent index pattern building - Enhanced action results DSL with `integrationNamespaces` parameter support - Improved live query results DSL namespace handling ### Elasticsearch: - Added `logs-osquery_manager.result-*` to `kibana_system` role so that we can use internal es client (which in the end uses user with `kibana_system` role) to query all indices but filter by user accessible namespaces in our own services. --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Tomasz Ciecierski <[email protected]>
KodeRad
pushed a commit
to KodeRad/kibana
that referenced
this pull request
Sep 15, 2025
…225617) # Add Namespace Awareness to Osquery Live Query and Action Results ## Dependencies Depends on elastic/elasticsearch#130824 ## Summary Adds namespace awareness to osquery live query and action results to ensure proper space isolation. Refactors frontend hooks to use API endpoints as a necessary step to implement server-side namespace filtering. **Removed constraint requiring user to have access to logs.osquery_manager.results-default index. Now user can use results index from any namespace** ## Changes Made ### Namespace Awareness Implementation - Added space-scoped integration namespace retrieval for osquery results - Enhanced DSL queries to support space-aware index patterns - Implemented proper space isolation to prevent cross-space data leakage - Extended `OsqueryAppContextService` with namespace-aware capabilities ### Frontend Hook Refactoring (Required for Namespace Support) - `use_all_results.ts`: Refactored to call API endpoint instead of direct search strategy - `use_action_results.ts`: Refactored to call new API endpoint instead of direct search strategy - Moved complex namespace logic to server-side for proper space isolation - Maintained backward compatibility for consuming components ### New API Infrastructure - Created `action_results/get_action_results_route.ts` endpoint with namespace support - Enhanced existing live query results endpoint with namespace filtering - Added proper request/response validation and route registration ### Server-Side Utilities - New utility: `get_integration_namespaces.ts` for space-scoped namespace retrieval - New utility: `build_index_name_with_namespace.ts` for consistent index pattern building - Enhanced action results DSL with `integrationNamespaces` parameter support - Improved live query results DSL namespace handling ### Elasticsearch: - Added `logs-osquery_manager.result-*` to `kibana_system` role so that we can use internal es client (which in the end uses user with `kibana_system` role) to query all indices but filter by user accessible namespaces in our own services. --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Tomasz Ciecierski <[email protected]>
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Sep 24, 2025
…225617) # Add Namespace Awareness to Osquery Live Query and Action Results ## Dependencies Depends on elastic/elasticsearch#130824 ## Summary Adds namespace awareness to osquery live query and action results to ensure proper space isolation. Refactors frontend hooks to use API endpoints as a necessary step to implement server-side namespace filtering. **Removed constraint requiring user to have access to logs.osquery_manager.results-default index. Now user can use results index from any namespace** ## Changes Made ### Namespace Awareness Implementation - Added space-scoped integration namespace retrieval for osquery results - Enhanced DSL queries to support space-aware index patterns - Implemented proper space isolation to prevent cross-space data leakage - Extended `OsqueryAppContextService` with namespace-aware capabilities ### Frontend Hook Refactoring (Required for Namespace Support) - `use_all_results.ts`: Refactored to call API endpoint instead of direct search strategy - `use_action_results.ts`: Refactored to call new API endpoint instead of direct search strategy - Moved complex namespace logic to server-side for proper space isolation - Maintained backward compatibility for consuming components ### New API Infrastructure - Created `action_results/get_action_results_route.ts` endpoint with namespace support - Enhanced existing live query results endpoint with namespace filtering - Added proper request/response validation and route registration ### Server-Side Utilities - New utility: `get_integration_namespaces.ts` for space-scoped namespace retrieval - New utility: `build_index_name_with_namespace.ts` for consistent index pattern building - Enhanced action results DSL with `integrationNamespaces` parameter support - Improved live query results DSL namespace handling ### Elasticsearch: - Added `logs-osquery_manager.result-*` to `kibana_system` role so that we can use internal es client (which in the end uses user with `kibana_system` role) to query all indices but filter by user accessible namespaces in our own services. --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Tomasz Ciecierski <[email protected]>
niros1
pushed a commit
to elastic/kibana
that referenced
this pull request
Sep 30, 2025
# Add Namespace Awareness to Osquery Live Query and Action Results ## Dependencies Depends on elastic/elasticsearch#130824 ## Summary Adds namespace awareness to osquery live query and action results to ensure proper space isolation. Refactors frontend hooks to use API endpoints as a necessary step to implement server-side namespace filtering. **Removed constraint requiring user to have access to logs.osquery_manager.results-default index. Now user can use results index from any namespace** ## Changes Made ### Namespace Awareness Implementation - Added space-scoped integration namespace retrieval for osquery results - Enhanced DSL queries to support space-aware index patterns - Implemented proper space isolation to prevent cross-space data leakage - Extended `OsqueryAppContextService` with namespace-aware capabilities ### Frontend Hook Refactoring (Required for Namespace Support) - `use_all_results.ts`: Refactored to call API endpoint instead of direct search strategy - `use_action_results.ts`: Refactored to call new API endpoint instead of direct search strategy - Moved complex namespace logic to server-side for proper space isolation - Maintained backward compatibility for consuming components ### New API Infrastructure - Created `action_results/get_action_results_route.ts` endpoint with namespace support - Enhanced existing live query results endpoint with namespace filtering - Added proper request/response validation and route registration ### Server-Side Utilities - New utility: `get_integration_namespaces.ts` for space-scoped namespace retrieval - New utility: `build_index_name_with_namespace.ts` for consistent index pattern building - Enhanced action results DSL with `integrationNamespaces` parameter support - Improved live query results DSL namespace handling ### Elasticsearch: - Added `logs-osquery_manager.result-*` to `kibana_system` role so that we can use internal es client (which in the end uses user with `kibana_system` role) to query all indices but filter by user accessible namespaces in our own services. --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Tomasz Ciecierski <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add read permissions for osquery manager result index pattern
logs-osquery_manager.result-*tokibana_systemrole.We need to be able to query these indices with full access using internal clients and set privileges in our services.