[Discuss] Indexing permissions as part of the Elastic Agent policy

[ruflin]

Currently all Elastic Agents enrolled into the fleet-server get the same permissions. To cover all the use cases these are the most permissive permissions. This proposal is to reduce the permissions given to an Elastic Agent based on the the policy. With this, each Elastic Agent would receive an API Key with the minimal permissions needed to get its job done.

Elastic Agent Policy contains permissions block

The fleet-server creates the API Keys for the Elastic Agents. Which permissions an Elastic Agent requires is based on the content of the policy. Because of this the policy should contain a section with the permissions it requires. This section could look similar to the following (inspired by Elasticsearch API Key permissions):

policy: A
permissions: [
  {
    "names": ["logs-*", "metrics-*"],
    "privileges": ["create_doc"]
  }
]

The above would give create_doc permissions for the logs-* and metrics-* data streams. If an Elastic Agent is enrolled for the policy A, an Elasticsearch output API Key would be created with only the above permissions and added to the policy.

The above model also works for more complex cases. Lets assume we have a case where only 2 indices should be allowed to be written to and one index should have read permissions. This could look as following:

policy: B
permissions: [
  {
    "names": ["logs-nginx.access-default", "logs-nginx.error-default"],
    "privileges": ["create_doc"]
  },
  {
    "names": ["state-docs"],
    "privileges": ["create_doc", "read"]
  }
]

If an Elastic Agent is enrolled for policy B, the permissions to write to the nginx indices is given and read from the state-docs index.

In general, this model can be used to be as permissive or restrive as needed based on the Elasticearch permission model. The limitation on the maximum permissions that can be given to an Elastic Agent is the permissions the fleet-server user itself has.

Change of policy

A change to a policy can mean the permission required on the Elastic Agent changes. For example at first only nginx access logs were collected but now also error logs. This means additional privileges for the error log data stream are required. The fleet-server must be able to hand out new API Keys with increased / reduced permissions in case of policy changes. In addition, old API Keys have to be invalidated.

Same permissions for all processes per Elastic Agent

The above assumes there are no sub permissions per input in an Elastic Agent. Whatever runs in an Elastic Agent, the input that requires the most permissions will defined the permissions of the API Key. If for example APM Integration is run together with the Endpoint integration and APM process requires read access to certain indices, the Endpoint process would also get the same permissions. This simplifies the permissions model.

On the policy creation side, it is important to notify the user about potential issues through concept likes Trusted / Untrusted integrations or similar, but this is not part of the privileges concept itself.

Fleet

The permissions which are part of the policy need to be created somewhere. It is expected that these are created in Fleet. Every integration should have the option to specify which permissions it needs. Based on this information and the user input like namespace, Fleet needs to generate the permission block. The UX and parts needed in Fleet should be discussed separately.

[scunningham]

To the extent that can be achieved, it would desirable for the fleet server to limit the amount of interpretation it has to do. Ideally, the permissions required would be listed explicitly in a section of the policy, or if necessary, multiple sections that the fleet server has to combine. It's not yet clear where in the system these explicit permission will be enumerated and what support is necessary to do so.

Also, there will be some race conditions to deal with here. Ideally, the fleet server would not revoke the previous ingest key until the policy was ACK'd by the agent. This would largely prevent the scenario where the key was delayed in rolling out, or we lost comms to the agent immediately after the old key was revoked, but before the new policy rolled out. That said, there will be some stateful book-keeping in the fleet server to accomplish this.

[scunningham]

Also, Fleet-Server should have the permission to create these data streams. Basically, for any explicitly enumerated data stream that does not have the auto_configure, Fleet-Server will need to attempt to create the data stream (and no-op if already there). This is to avoid having to provide auto_configure privileges to untrusted endpoints, which is what we have right now.

[ph]

The data stream fields are already present in each input or default values already exists, if we add a "permission" key under the "input", the stream, or both the input can be traversed and an aggregated set of permissions be generated.

@ruflin Where the required permissions would be defined, would it be the package responsable of defining the permissions. The system integration should only be able to define permissions for logs-system.*- and `metrics-system.-,

[ph]

@andresrc FYI, I am adding this item to both Agent and Fleet board, once the design we surely have 2 (or more issues)

[ph]

This is the design issue to fix the APM-Server different permissions

• Requirement for Kibana API Key for Agent subprocess [Fleet] Requirement for Kibana API Key for Agent subprocess kibana#89311

With the above proposal the Elastic Agent would still have a single api key to talk with Elasticsearch, that API key will have the correctly defined permission defined on it based on the configuration. Based on this dicussion I will close elastic/kibana#91704

[axw]

Thanks for filing this @ruflin. This sounds similar to what I've had in mind, like an app store type approach: install an app (integration), and the store (Fleet/Integrations UI) prompts you to grant additional privileges. I guess we can skip this until untrusted integrations need the feature.

In an email thread @simitt raised the principle of least privilege. I tend to agree that in an ideal world we would restrict each integration's process from obtaining another integration's privileges that it doesn't need access to; but there's no practical issue with this for APM's foreseeable future.

[ruflin]

@scunningham My assumption was that Fleet (Kibana) would be the tool that sets up all the data streams if need as setup of the stack already happens there. fleet-server just takes the permissions and creates API keys based on it.

@ph I assume the definition of the permissions needed should happen where the data streams are defined. So this would be in the manifest of the data_stream directory for example. But we should have a separate discussion around this in package-spect repo.

[scunningham]

@ruflin I would prefer if Kibana creates the data streams as well, assuming the kibana_system user has permissions to do that.

[scunningham]

I should clarify that to the extent we can, we should not be giving wild carded privileges to the endpoints. Even an append-only logs-* privilege will allow an attacker to scribble over any log data stream in the system. We should try to limit permissions as specifically to the target data streams as possible.

[ruflin]

I don't think the kibana_system user has and should have the permission. But the user that creates the policy should have sufficient permissions, be it in the UI or API call. The creation of the data_streams happens as soon as the user hits save for a policy.

With the above model, we delegate the responsibility about how many privileges an integration needs to the creator of the integration. The model would still allow for someone to use logs-*-* if really needed, fleet-server would just create the API keys needed. Instead I think we should have additional features in Fleet where certain flags can be set on policies. So only if a user sets trusted flag on a policy for example, the permissions in the policy allow to have * or dynamic fields are allowed. Otherwise Fleet would overwrite certain flags from the integrations and hopefully tell the user that not all the permissions are ok for this policy.