From 7f703218987d1160b748976e860491718893dcec Mon Sep 17 00:00:00 2001 From: Felix Barnsteiner Date: Wed, 29 Oct 2025 11:29:42 +0100 Subject: [PATCH 1/3] Enable _otlp usage with `create_doc`, `auto_configure` privileges Previously, the full `write` privilege was required, now the more fine-grained `create_doc` privilege is enough. It still checks the permissions in the internal _bulk request again. For example, the request would fail if we used the `index` instead of the `create` op_type within the `OTLPMetricsTransportAction`. --- .../authz/privilege/IndexPrivilege.java | 9 ++++--- .../otlp/OTLPMetricsIndexingRestIT.java | 24 ++++++++++++++++++- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java index 7deb84968f10f..e1ae19acc4bb1 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java @@ -98,20 +98,23 @@ public final class IndexPrivilege extends Privilege { private static final Automaton CREATE_AUTOMATON = patterns( "indices:data/write/index*", "indices:data/write/bulk*", - "indices:data/write/simulate/bulk*" + "indices:data/write/simulate/bulk*", + "indices:data/write/otlp/*" ); private static final Automaton CREATE_DOC_AUTOMATON = patterns( "indices:data/write/index", "indices:data/write/index[*", "indices:data/write/index:op_type/create", "indices:data/write/bulk*", - "indices:data/write/simulate/bulk*" + "indices:data/write/simulate/bulk*", + "indices:data/write/otlp/*" ); private static final Automaton INDEX_AUTOMATON = patterns( "indices:data/write/index*", "indices:data/write/bulk*", "indices:data/write/update*", - "indices:data/write/simulate/bulk*" + "indices:data/write/simulate/bulk*", + "indices:data/write/otlp/*" ); private static final Automaton DELETE_AUTOMATON = patterns("indices:data/write/delete*", "indices:data/write/bulk*"); private static final Automaton WRITE_AUTOMATON = patterns("indices:data/write/*", TransportAutoPutMappingAction.TYPE.name()); diff --git a/x-pack/plugin/otel-data/src/javaRestTest/java/org/elasticsearch/xpack/oteldata/otlp/OTLPMetricsIndexingRestIT.java b/x-pack/plugin/otel-data/src/javaRestTest/java/org/elasticsearch/xpack/oteldata/otlp/OTLPMetricsIndexingRestIT.java index fa609d7c6d692..47d1740817853 100644 --- a/x-pack/plugin/otel-data/src/javaRestTest/java/org/elasticsearch/xpack/oteldata/otlp/OTLPMetricsIndexingRestIT.java +++ b/x-pack/plugin/otel-data/src/javaRestTest/java/org/elasticsearch/xpack/oteldata/otlp/OTLPMetricsIndexingRestIT.java @@ -96,7 +96,7 @@ protected Settings restClientSettings() { public void beforeTest() throws Exception { exporter = OtlpHttpMetricExporter.builder() .setEndpoint(getClusterHosts().getFirst().toURI() + "/_otlp/v1/metrics") - .addHeader("Authorization", basicAuthHeaderValue(USER, new SecureString(PASS.toCharArray()))) + .addHeader("Authorization", "ApiKey " + createApiKey()) .build(); meterProvider = SdkMeterProvider.builder() .registerMetricReader( @@ -109,6 +109,28 @@ public void beforeTest() throws Exception { assertBusy(() -> assertOK(client().performRequest(new Request("GET", "_index_template/metrics-otel@template")))); } + private static String createApiKey() throws IOException { + // Create API key with create_doc privilege for metrics-* index + Request createApiKeyRequest = new Request("POST", "/_security/api_key"); + createApiKeyRequest.setJsonEntity(""" + { + "name": "otel-metrics-test-key", + "role_descriptors": { + "metrics_writer": { + "index": [ + { + "names": ["metrics-*"], + "privileges": ["create_doc", "auto_configure"] + } + ] + } + } + } + """); + ObjectPath createApiKeyResponse = ObjectPath.createFromResponse(client().performRequest(createApiKeyRequest)); + return createApiKeyResponse.evaluate("encoded"); + } + @Override public void tearDown() throws Exception { meterProvider.close(); From 13d0d464131f5eecde3700a66da70e0c1dc7a7e6 Mon Sep 17 00:00:00 2001 From: Felix Barnsteiner Date: Wed, 29 Oct 2025 11:37:48 +0100 Subject: [PATCH 2/3] Update docs/changelog/137325.yaml --- docs/changelog/137325.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 docs/changelog/137325.yaml diff --git a/docs/changelog/137325.yaml b/docs/changelog/137325.yaml new file mode 100644 index 0000000000000..e3b898ef0a0de --- /dev/null +++ b/docs/changelog/137325.yaml @@ -0,0 +1,5 @@ +pr: 137325 +summary: "Enable `_otlp` usage with `create_doc`, `auto_configure` privileges" +area: TSDB +type: "bug, enhancement" +issues: [] From 0bbe29b130834e559163a3092dc052c40b561a22 Mon Sep 17 00:00:00 2001 From: Felix Barnsteiner Date: Wed, 29 Oct 2025 11:47:34 +0100 Subject: [PATCH 3/3] Update 137325.yaml --- docs/changelog/137325.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/changelog/137325.yaml b/docs/changelog/137325.yaml index e3b898ef0a0de..901415ffc3cc6 100644 --- a/docs/changelog/137325.yaml +++ b/docs/changelog/137325.yaml @@ -1,5 +1,5 @@ pr: 137325 summary: "Enable `_otlp` usage with `create_doc`, `auto_configure` privileges" area: TSDB -type: "bug, enhancement" +type: "bug" issues: []