Document privileges for running Beats features against secured cluster

[dedemorton]

Fixes #4826.

Note that this is a quick fix for 6.3. Ideally, we should not be documenting how to create a role; we should point off to the security docs for that. However, our stack-level security docs need more work, so I'm making fixes to the existing content (rather than rewriting) for 6.3. We also need to consider adding more beats-specific built-in roles.

TODO:

• I need to update the topic about loading dashboards to show how to load dashboards when the output is Logstash and security is enabled. Because beats needs to communicate with ES, the user needs to temporarily enable ES:

setup -e \
  -E output.logstash.enabled=false \
  -E output.elasticsearch.hosts=['localhost:9200'] \
  -E output.elasticsearch.username="filebeat_internal" \
  -E output.elasticsearch.password="test-password" \
  -E setup.kibana.host=localhost:5601 

UPDATE: I've added the built docs (Filebeat) to firebase to make it easier for you to review them: https://filebeatsecurityupdates.firebaseapp.com/securing-beats.html

[dedemorton]

@andrewkroh I've added instructions for loading the dashboards when LS output is enabled (we talked about that a couple weeks ago). There are some bits I'm not sure about, so I've added questions for reviewers. We might be able to simplify the command, but I thought I'd start with all the things and see what you think.

[dedemorton]

Removed my link because it pointed to an internal document.

[karenzone]

Started, but not finished. There's a lot going on here. Looks like it's heading in a good direction

[andrewkroh]

This should be {beat_default_index_prefix}_internal. There are a few instances of this.

[andrewkroh]

We don't need set it in this case. I think it only needs to be used when loading the dashboards (setup --dashboards) and a connection to ES is not possible (so it will skip the ES version check).

[andrewkroh]

We can remove the conditional for auditbeat. It is used with docker quite a bit now.

[andrewkroh]

kibana_user seems ok. I'm not sure what privileges could be removed.

BTW If the user does not have privileges to .kibana there are no errors anywhere that I can see. But none of the dashboards or the index pattern get installed. Sounds like a bug in ES or Kibana that it does not respond with a 403.

[dedemorton]

@andrewkroh Do I need to open an issue for this, or do you plan to follow up?

[andrewkroh]

👍 Tested it on win2012.

[andrewkroh]

I would keep ML. At the moment I think only Filebeat has them, but hopefully more Beats get ML configs soon.

[dedemorton]

@andrewkroh I've updated the topics based on your feedback. Not sure if you've finished your first round of comments, tho. Let me know. There are still a few unanswered questions.

[dedemorton]

Remaining review todo list:

• Under setting up dashboards for Logstash output, verify that the deb, rpm, and docker commands are correct . I've only tested in Mac.

• Under Configure authentication examples, verify that the role_mapping.yml example under PKI authentication is correct.

You can preview the built docs here: https://filebeatsecurityupdates.firebaseapp.com/securing-beats.html

[andrewkroh]

What is the read needed for? I can't think of any Beats that would use this. Packetbeat used to a long time ago, but not anymore AFAIK.

[dedemorton]

I don't have the reason in my notes. I'll retest to make sure it's not a copy/paste error.

[dedemorton]

Confirmed that "read" privilege is not required (tested on metricbeat and packetbeat...I'm assuming that's sufficient).

[dedemorton]

Assuming this passes CI tests, it should be ready to squash and merge.