Functionbeat requires manage_index_templates cluster permission with Elasticsearch 7.16

[Urokhtor]

Elasticsearch version (bin/elasticsearch --version): 7.16 (Elastic Cloud)

Description of the problem including expected versus actual behavior:

After Elasticsearch was upgraded in Elastic Cloud to 7.16, our Functionbeat stopped working. We see following error in our logs:

2021-12-08T06:42:16.576Z	ERROR	[publisher_pipeline_output]	pipeline/output.go:154	Failed to connect to backoff(elasticsearch(https://:9243)): Connection marked as failed because the onConnect callback failed: error loading template: failure while checking if template exists: 403 Forbidden: 
{
    "error": {
        "root_cause": [
            {
                "type": "security_exception",
                "reason": "action [indices:admin/template/get] is unauthorized for user [functionbeat] with roles [functionbeat], this action is granted by the cluster privileges [manage_index_templates,manage,all]"
            }
        ],
        "type": "security_exception",
        "reason": "action [indices:admin/template/get] is unauthorized for user [functionbeat] with roles [functionbeat], this action is granted by the cluster privileges [manage_index_templates,manage,all]"
    },
    "status": 403
}

This issue can circumvented by adding the manage_index_templates to the role. However, the question is why should Functionbeat need that privilege? Isn't this overly permissive? Why should Functionbeat be able to manage index templates? It's also not mentioned by Functionbeat 7.16 documentation, so I'm not sure whether this functionality is intended.

Steps to reproduce:

Set up Elasticsearch 7.16 and try to index something with Functionbeat without manage_index_template privilege. Version does not seem to matter.

[kaangoksal]

Same issue with filebeats

2021-12-11T15:58:33.739Z	ERROR	[publisher_pipeline_output]	pipeline/output.go:154	Failed to connect to backoff(elasticsearch(https://xxx.io)): Connection marked as failed because the onConnect callback failed: error loading template: failure while checking if template exists: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/template/get] is unauthorized for API key id [xxx] of user [xxx], this action is granted by the cluster privileges [manage_index_templates,manage,all]"}],"type":"security_exception","reason":"action [indices:admin/template/get] is unauthorized for API key id [xxx] of user [xxx], this action is granted by the cluster privileges [manage_index_templates,manage,all]"},"status":403}
2021-12-11T15:58:33.739Z	INFO	[publisher_pipeline_output]	pipeline/output.go:145	Attempting to reconnect to backoff(elasticsearch(https://xxx.io)) with 2 reconnect attempt(s)

given the latest log4j RCE having overly permissive security configurations are getting more dangerous than ever.

[elasticmachine]

Pinging @elastic/es-security (Team:Security)

[jtibshirani]

Thanks for your feedback. I've tagged our security team for their context. However, I think this change may be specific to Beats and not Elasticsearch. We might need to transfer the issue to the Beats repo (https://github.com/elastic/beats) to hear from the experts there.

[kaangoksal]

I can provide more details if needed. Have a setup that i can demonstrate the issue

[tvernum]

We've tracked this down to being triggered by elastic/elasticsearch#78832 and the fact that libbeat uses that Cat API in a way that wasn't anticipated.
We're looking at options for resolving it.