[ResponseOps] Update kibana system user with esql view permissions.#143568
[ResponseOps] Update kibana system user with esql view permissions.#143568adcoelho merged 3 commits intoelastic:mainfrom
Conversation
|
Pinging @elastic/es-security (Team:Security) |
| RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTING_V2_INDEX_ALIAS).privileges("all").build(), | ||
| RoleDescriptor.IndicesPrivileges.builder() | ||
| .indices(ReservedRolesStore.ALERTING_V2_INDEX_ALIAS) | ||
| .privileges("create_view", "manage_view", "manage", "all") |
There was a problem hiding this comment.
I think you only need to grant create_view here and that the error message indicates any of create_view, manage_view, or manage will grant the indices:admin/esql/view/put action.
That test indicates that all should also grant the necessary action, which was already granted. So I'm wondering if this will actually fix your issue.
There was a problem hiding this comment.
all already grants any view (and index) actions. If you're running into issues let me know and I can try to help out.
all is indices:*, manage is indices:admin/*, manage_view is indices:admin/esql/view* and the PUT, GET and DELETE operations are indices:admin/esql/view/put|get|delete.
|
Is this PR attempting to solve the same problem as #143455 ? The titles are almost the same but are modifying different indices |
jfreden
left a comment
There was a problem hiding this comment.
all should already cover this. Let me know if you're running into issues and I can try to help out over slack or zoom. Thanks!
| RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTING_V2_INDEX_ALIAS).privileges("all").build(), | ||
| RoleDescriptor.IndicesPrivileges.builder() | ||
| .indices(ReservedRolesStore.ALERTING_V2_INDEX_ALIAS) | ||
| .privileges("create_view", "manage_view", "manage", "all") |
There was a problem hiding this comment.
all already grants any view (and index) actions. If you're running into issues let me know and I can try to help out.
all is indices:*, manage is indices:admin/*, manage_view is indices:admin/esql/view* and the PUT, GET and DELETE operations are indices:admin/esql/view/put|get|delete.
5aa417d to
f34062c
Compare
|
After a chat with @jfreden, I understood the original call to the API was failing because the role did not have In addition to that, after our chat, I decided to go for the I changed the PR to target |
| // "Alerting V2" indexes | ||
| RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTING_V2_INDEX_ALIAS).privileges("all").build(), | ||
| // "Alerting V2" views prefix | ||
| RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTING_V2_VIEWS).privileges("all").build(), |
There was a problem hiding this comment.
Do you need all here? Since this is only managing views you should at most need manage_view (all CRUD). What are the operations you're planning on doing? If it's only adding views, I'd stick to create_view otherwise manage_view.
There was a problem hiding this comment.
When you mentioned above that:
allalready grants any view (and index) actions.
I assumed that was the required privilege for the view name, too.
I realize now that it is still a superset of what we actually need. I will change to create_view.
## Summary **The focus of this PR is the view creation logic. I will create a follow-up PR with an `$.alerting-episodes` view when we decide which fields we want on the alerts table.** This PR adds startup initialization of ES|QL views in the Alerting v2 plugin(in addition to the existing data stream resource setup). Views are created in Elasticsearch via the `/_query/view` API, so alerting can use them. [There is currently a separate PR in the Elasticsearch repo](elastic/elasticsearch#143568) that updates the Kibana system user permissions to allow for the ESQL view management. The views created by this PR are: ``` $.alerting-events -> FROM .alerting-events $.alerting-actions -> FROM .alerting-actions ```
…lastic#143568) * Adds alerting v2 views permissions. * Change alerting v2 view privileges to create_view only. * [CI] Auto commit changes from spotless --------- Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
…lastic#143568) * Adds alerting v2 views permissions. * Change alerting v2 view privileges to create_view only. * [CI] Auto commit changes from spotless --------- Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
…sions. (elastic#143568)" This reverts commit 3251506.
Summary
We want to allow the Kibana system user to be able to manage ESQL views.
Draft PR for the Kibana implementation.
The permissions
create_view,manage_view, andmanageare the ones required in the error output when using the esClient to create a new view on startup.I also updated the tests to include the
ESQLViewActionNames, I hope that is correct.