Skip to content

[ExtraHop][Qualys GAV] - Fix Cannot execute ILM policy delete step #132387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 7, 2025
Merged

[ExtraHop][Qualys GAV] - Fix Cannot execute ILM policy delete step #132387

merged 4 commits into from
Aug 7, 2025

Conversation

ShourieG
Copy link
Contributor

@ShourieG ShourieG commented Aug 4, 2025
edited
Loading

This PR focuses on the short term solution which add the logs-extrahop.investigation-* and logs-qualys_gav.asset-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PRs.

Current behavior:

  • It shows permission issue while deleting the index

For Qualys GAV:

{
  "failed_step": "delete",
  "step_info": {
    "type": "security_exception",
    "reason": "action [indices:admin/delete] is unauthorized for user [found-internal-kibana4-server] with effective roles [found-internal-kibana4-server,kibana_system] on indices [.ds-logs-qualys_gav.asset-default-2025.07.24-000001], this action is granted by the index privileges [delete_index,manage,all]"
  }
}

For ExtraHop:

{
  "failed_step": "delete",
  "step_info": {
    "type": "security_exception",
    "reason": "action [indices:admin/delete] is unauthorized for user [found-internal-kibana4-server] with effective roles [found-internal-kibana4-server, kibana_system] on indices [.ds-logs-extrahop.investigation-default-2025.07.23-000001], this action is granted by the index privileges [delete_index, manage, all]"
  }
}

Closes - #131825
Similar Issues : elastic/kibana#197390, #116982

@ShourieG ShourieG self-assigned this Aug 4, 2025
@ShourieG ShourieG added the >bug label Aug 4, 2025
@ShourieG ShourieG requested a review from a team as a code owner August 4, 2025 09:59
@ShourieG ShourieG added the Team:Cloud Security Meta label for Cloud Security team label Aug 4, 2025
@elasticsearchmachine elasticsearchmachine added v9.2.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Aug 4, 2025
@ShourieG ShourieG added v8.18.0 :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC and removed external-contributor Pull request authored by a developer outside the Elasticsearch team v9.2.0 labels Aug 4, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Aug 4, 2025
@ShourieG ShourieG mentioned this pull request Aug 5, 2025
Closed
@gmarouli gmarouli added v9.2.0 and removed v8.18.0 labels Aug 5, 2025
@gmarouli
Copy link
Contributor

gmarouli commented Aug 5, 2025

Hi @ShourieG , I do not think that I am qualified to review this, it looks like github has already selected the a team to review.

My only comment is the wrong version. I removed the 8.18.0 and put back the 9.2.0. Changes in this branch only make it to 9.2.0, if you need it backported to other versions let me know and I can add the necessary the labels.

@ShourieG
Copy link
Contributor Author

ShourieG commented Aug 6, 2025

Hi @gmarouli, we would need this to be backported to at least 8.18 and above

@ShourieG ShourieG requested a review from kcreddy August 6, 2025 08:43
@gmarouli gmarouli added auto-backport Automatically create backport pull requests when merged v8.18.5 v8.19.2 v9.1.2 v9.0.5 labels Aug 6, 2025
@gmarouli
Copy link
Contributor

gmarouli commented Aug 6, 2025

@ShourieG I recommend running ./gradlew precommit before pushing, this way you can find the compilation and format errors and fix them before pushing. You can also see how to run it locally: https://github.com/elastic/elasticsearch/blob/main/CONTRIBUTING.md#contributing-to-the-elasticsearch-codebase

@slobodanadamovic slobodanadamovic self-requested a review August 6, 2025 11:51
slobodanadamovic
slobodanadamovic approved these changes Aug 6, 2025
View reviewed changes
Copy link
Contributor

@slobodanadamovic slobodanadamovic left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (from es-security side - pending green CI and compilation resolving)

Please make sure to get approval from @elastic/kibana-security team as well.

@SiddharthMantri SiddharthMantri self-requested a review August 6, 2025 12:23
@ShourieG ShourieG force-pushed the enhancement/add_ilm_delete_index branch from 75aff4f to 1d73e61 Compare August 6, 2025 14:33
@ShourieG ShourieG force-pushed the enhancement/add_ilm_delete_index branch from c051db0 to ae90521 Compare August 6, 2025 17:21
@ShourieG
Copy link
Contributor Author

ShourieG commented Aug 7, 2025
edited
Loading

Hi @elastic/kibana-security, could I get a review/approval on this.

@ShourieG ShourieG merged commit 0d7a2cc into elastic:main Aug 7, 2025
39 checks passed
@ShourieG ShourieG deleted the enhancement/add_ilm_delete_index branch August 7, 2025 08:01
@ShourieG ShourieG restored the enhancement/add_ilm_delete_index branch August 8, 2025 09:38
This was referenced Aug 8, 2025
Merged
Merged
Merged
ShourieG added a commit to ShourieG/elasticsearch that referenced this pull request Aug 8, 2025
@ShourieG
[ExtraHop][Qualys GAV] - Fix Cannot execute ILM policy delete step (e…
f3bace9 
…lastic#132387)

This PR focuses on the short term solution which add the logs-extrahop.investigation-* and logs-qualys_gav.asset-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PRs.

(cherry picked from commit 0d7a2cc)
@ShourieG ShourieG mentioned this pull request Aug 8, 2025
Merged
@ShourieG
Copy link
Contributor Author

ShourieG commented Aug 8, 2025

💚 All backports created successfully

Status Branch Result
9.1
9.0
8.19
8.18

Questions ?

Please refer to the Backport tool documentation

ShourieG added a commit to ShourieG/elasticsearch that referenced this pull request Aug 8, 2025
@ShourieG
[ExtraHop][Qualys GAV] - Fix Cannot execute ILM policy delete step (e…
11fc00d 
…lastic#132387)

This PR focuses on the short term solution which add the logs-extrahop.investigation-* and logs-qualys_gav.asset-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PRs.

(cherry picked from commit 0d7a2cc)
ShourieG added a commit to ShourieG/elasticsearch that referenced this pull request Aug 8, 2025
@ShourieG
[ExtraHop][Qualys GAV] - Fix Cannot execute ILM policy delete step (e…
912356a 
…lastic#132387)

This PR focuses on the short term solution which add the logs-extrahop.investigation-* and logs-qualys_gav.asset-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PRs.

(cherry picked from commit 0d7a2cc)
@ShourieG ShourieG deleted the enhancement/add_ilm_delete_index branch August 8, 2025 10:55
elasticsearchmachine pushed a commit that referenced this pull request Aug 8, 2025
@ShourieG
[ExtraHop][Qualys GAV] - Fix Cannot execute ILM policy delete step (#…
431aac1 
…132387) (#132572)

This PR focuses on the short term solution which add the logs-extrahop.investigation-* and logs-qualys_gav.asset-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PRs.

(cherry picked from commit 0d7a2cc)
elasticsearchmachine pushed a commit that referenced this pull request Aug 8, 2025
@ShourieG
[ExtraHop][Qualys GAV] - Fix Cannot execute ILM policy delete step (#…
3452656 
…132387) (#132573)

This PR focuses on the short term solution which add the logs-extrahop.investigation-* and logs-qualys_gav.asset-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PRs.

(cherry picked from commit 0d7a2cc)
elasticsearchmachine pushed a commit that referenced this pull request Aug 8, 2025
@ShourieG
[ExtraHop][Qualys GAV] - Fix Cannot execute ILM policy delete step (#…
d34479e 
…132387) (#132571)

This PR focuses on the short term solution which add the logs-extrahop.investigation-* and logs-qualys_gav.asset-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PRs.

(cherry picked from commit 0d7a2cc)
@ShourieG
Copy link
Contributor Author

ShourieG commented Aug 8, 2025

@janvi-elastic, We are unblocked from 8.19 and above, 8.18 should be unblocked after discovering reasons for ci-failure

@ShourieG ShourieG mentioned this pull request Aug 8, 2025
Merged
4 tasks
elasticsearchmachine pushed a commit that referenced this pull request Aug 11, 2025
@ShourieG
[8.18] [ExtraHop][Qualys GAV] - Fix Cannot execute ILM policy delete …
f956168 
…step (#132387) (#132574)

* [ExtraHop][Qualys GAV] - Fix Cannot execute ILM policy delete step (#132387)

This PR focuses on the short term solution which add the logs-extrahop.investigation-* and logs-qualys_gav.asset-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PRs.

(cherry picked from commit 0d7a2cc)

* Update KibanaOwnedReservedRoleDescriptors.java

added missing imports in KibanaOwnedReservedRoleDescriptors

* [CI] Auto commit changes from spotless

---------

Co-authored-by: elasticsearchmachine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slobodanadamovic slobodanadamovic slobodanadamovic approved these changes

@SiddharthMantri SiddharthMantri SiddharthMantri approved these changes

@kcreddy kcreddy Awaiting requested review from kcreddy

Assignees

@ShourieG ShourieG

Labels

auto-backport Automatically create backport pull requests when merged >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Cloud Security Meta label for Cloud Security team Team:Security Meta label for security team v8.18.5 v8.19.2 v9.0.5 v9.1.2 v9.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ShourieG @elasticsearchmachine @gmarouli @SiddharthMantri @slobodanadamovic @kcreddy