Skip to content

[Fleet] add privileges to kibana_system to read integrations data #132501

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 7 commits into from
Closed

[Fleet] add privileges to kibana_system to read integrations data #132501

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
b4e4e14
Revert "[Fleet] add privileges to `kibana_system` to read integration…
juliaElastic Aug 6, 2025
eaee8fc
[Fleet] add privileges to `kibana_system` to read integrations data (…
juliaElastic Aug 5, 2025
0b5793f
Merge branch 'main' into readd-132400
juliaElastic Aug 18, 2025
abe2fc3
[Fleet] add privileges to `kibana_system` to read integrations data (…
juliaElastic Aug 5, 2025
befbc61
Merge branch 'main' into readd-132400
juliaElastic Aug 20, 2025
afdbba3
Merge branch 'main' into readd-132400
juliaElastic Aug 20, 2025
0d0832d
Merge branch 'main' into readd-132400
juliaElastic Aug 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ...org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,8 @@ static RoleDescriptor kibanaSystem(String name) {
"indices:admin/data_stream/lifecycle/put"
)
.build(),
// Read datasets for auto install content packages feature in Fleet
RoleDescriptor.IndicesPrivileges.builder().indices("logs-*", "metrics-*", "traces-*").privileges("read").build(),
Copy link
Contributor

@SiddharthMantri SiddharthMantri Aug 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @juliaElastic - on the related Kibana PR here: https://github.com/elastic/kibana/pull/230369/files#diff-53e6fb38de62c0f181daadc9c2b0301b019268fc469e00d56eeca3a1a523aca1R299-R302 Are you requesting read privileges on logs- and metrics- for reading the dataStream dataset name?

If so, you only require view_index_metadata privileges: https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-get-data-stream.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm we should be able to derive the dataset from the data stream name metrics-<dataset>-<namespace>.

Just to check, is there a way to only read the data_stream.dataset field in the data stream docs?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure tbh. Probably a question for ES team but from my initial understanding of the Datastreams API, you can't derive specific fields like dataset as that would require read privileges again.

Copy link
Contributor Author

@juliaElastic juliaElastic Aug 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked locally and it should be good to use the data streams API, kibana_system already has the privileges:

elasticsearch/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java

Line 164 in 0d0832d

RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("view_index_metadata", "monitor").build(),

I'll change the implementation in kibana and this pr can be closed. Thanks!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing, thank you for your patience and the changes.

// Endpoint specific action responses. Kibana reads and writes (for third party
// agents) to the index to display action responses to the user.
// `create_index`: is necessary in order to ensure that the DOT datastream index is
Expand Down
5 changes: 4 additions & 1 deletion .../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1397,7 +1397,10 @@ public void testKibanaSystemRole() {
|| indexName.startsWith(".logs-endpoint.actions-")
|| indexName.startsWith(".logs-endpoint.action.responses-")
|| indexName.startsWith(".logs-endpoint.heartbeat-")
|| indexName.startsWith(".logs-osquery_manager.actions-");
|| indexName.startsWith(".logs-osquery_manager.actions-")
|| indexName.startsWith("logs-")
|| indexName.startsWith("metrics-")
|| indexName.startsWith("traces-");
assertThat(
kibanaRole.indices().allowedIndicesMatcher(TransportGetAction.TYPE.name()).test(indexAbstraction),
is(isAlsoReadIndex)
Expand Down