Granting kibana_system reserved role access to "all" privileges to .adhoc.alerts* and .internal.adhoc.alerts* indices
#127321
Conversation
…`.adhoc.alerts*` and `.internal.adhoc.alerts*` indices
e40pud
added
>enhancement
:Security/Authorization
|
Pinging @elastic/es-security (Team:Security) |
elasticsearchmachine
added
the
external-contributor
|
Hi @e40pud, I've created a changelog YAML for you. |
| @@ -265,6 +265,12 @@ static RoleDescriptor kibanaSystem(String name) { | |||
| RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTS_INDEX_ALIAS).privileges("all").build(), | |||
| // "Alerts as data" public index alias used in Security Solution | |||
| // Kibana system user uses them to read / write alerts. | |||
| RoleDescriptor.IndicesPrivileges.builder() | |||
| .indices(ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX, ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS) | |||
There was a problem hiding this comment.
Are these indices created/owned by Kibana?
There was a problem hiding this comment.
Question - are these indices created and managed by Kibana, or another stack component (e.g. ES, an integration, etc.)?
Also, we prefer rather than assigning "all", that specific privileges are enumerated when augmenting the kibana_system role. For example, kibana_system likely does not need the ability to perform cross-cluster replication on these indices, and "cross_cluster_replication" is granted by "all". Ideally, the minimum required privileges should be granted.
The full list of index privileges for reference: https://www.elastic.co/docs/reference/elasticsearch/security-privileges#privileges-list-indices
Keep in mind also that some privileges cascade, like the "manage" index privilege which grants many of the other manage_* index privileges.
Parent ticket: https://github.com/elastic/security-team/issues/12484
Summary
We'd like to add privileges to a new set of indices to the
kibana_systemrole. The reason for that is we need to have different naming schema for the manually generated attack discovery alerts index aliases and backing indices pointing to these aliases.Adding for the new "Attack Discovery Scheduling" feature that utilizes alerts as data and a reserved index to write alerts. The attack discovery scheduling feature requires a possibility to generate alerts without running an existing (registered in alerting framework) rule and for that we are writing adhoc generated alerts to a separate index (than normal alerts) so they won't show up with standard .alerts* queries, but still need the same permissions as "normal" alert indices.