[Monitoring] Add ability for monitoring_user role to read from metricbeat-*

[chrisronline]

Relates to elastic/kibana#90660

The Stack Monitoring UI will soon read from metricbeat-* indices and needs to adjust the reserved role to allow permission to this index.

[elasticmachine]

Pinging @elastic/es-core-features (Team:Core/Features)

[elasticmachine]

Pinging @elastic/es-security (Team:Security)

[jakelandis]

Changes LGTM from the monitoring side of things ... but let's let the security folks weigh in too.

[jakelandis]

Looks like there is a checkstyle failure. You can see the exact problem and test the fix with ./gradlew :x-pack:plugin:core:checkstyleMain --info

[albertzaharovits]

In https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-metricbeat.html, for ingesting monitoring data we say:

If Elasticsearch security features are enabled on the monitoring cluster, you must provide a valid user ID and password so that Metricbeat can send metrics successfully:

Create a user on the monitoring cluster that has the remote_monitoring_agent built-in role. 

and then for visualizing said data, we say:

If the Elastic security features are enabled on the monitoring cluster, you must provide a user ID and password so Kibana can retrieve the data.

Create a user that has the monitoring_user built-in role on the monitoring cluster. 

Given that remote_monitoring_agent can index to both .monitoring* and metricbeat-*, I think it makes sense to permit the monitoring_user to read from all where remote_monitoring_agent can write.

I see no security concerns here.

Just a minor nit, please update ReservedRolesStoreTests#testMonitoringUserRole.

[neptunian]

Just a minor nit, please update ReservedRolesStoreTests#testMonitoringUserRole.

@albertzaharovits, @chrisronline is on a different team now so I went ahead and merged this. Our team doesn't typically commit to the elasticsearch repo so if you could make the change you requested, it would be greatly appreciated!

[neptunian]

@albertzaharovits @chrisronline Do either of you know if I should be seeing this change reflected here:

GET /_security/role/monitoring_user

response

{ "monitoring_user" : { "cluster" : [ "cluster:monitor/main", "cluster:monitor/xpack/info", "cluster:monitor/remote/info" ], "indices" : [ { "names" : [ ".monitoring-*" ], "privileges" : [ "read", "read_cross_cluster" ], "allow_restricted_indices" : false } ], "applications" : [ { "application" : "kibana-*", "privileges" : [ "reserved_monitoring" ], "resources" : [ "*" ] } ], "run_as" : [ ], "metadata" : { "_reserved" : true }, "transient_metadata" : { "enabled" : true } } }

Still getting failing functional tests likely because of this.

[albertzaharovits]

@neptunian It works for me when I pull ES from the 7.x branch. I think the build you're testing hasn't caught up.

[jasonrhodes]

@albertzaharovits thanks, do you know how long the delay is to get these changes in the yarn es snapshot flow / aka latest ES snapshots? Our Kibana functional tests are failing with this problem still, a day later. Not sure who to ask on this :)

[jasonrhodes]

@albertzaharovits are you comfortable backporting this to the 7.13 branch so it goes out in the next 7.13.x patch release, if there is one? I just realized that Metricbeat 7.13 merged with the ability to ship data to metricbeat-* but without this change, users won't be able to see that data.

cc @sayden @ravikesarwani (for visibility, I'll explain more)