Closed simitt closed 4 years ago
I almost wonder if it's time to stop using some/all of the shared security documentation from Beats, and instead create our own security documentation for APM Server. The current setup works, but it doesn't offer us a lot of flexibility.
Using parts of the shared docs would be optimal; linux seccomp is solely provided by libbeat, copying the docs from there ensures we receive doc bugfixes and updates. Whereas other docs as basic-auth even contain a configuration setup.kibana
that APM Server doesn't support any more since 7.0.
Ideally after having a summarized overview of the roles and privileges we reflect the minimum required privileges per version in the Integration testing. This would enforce us to think about newly added features requiring new privileges for every new version.
Open TODOs:
manage_pipeline
and manage_ingest_pipeline
?cluster: monitor
privilege; where does this come from?
In the following proposal I removed the privilege as I didn't need it anywhere.7.0
APM Server docs and referencing a deprecated way for configuring monitoringAfter testing the minimal required privileges and comparing with current documentation I propose following changes for the 7.7
and 7.8
documentation:
@bmorelli25 please let me know what you think. Once we agree on the documentation, I can work on adding users and roles accordingly to the apm-integration testing to be in sync with the docs.
This is a fantastic!
A few notes on your todos:
Figure out the difference between manage_pipeline and manage_ingest_pipeline?
They are duplicates. manage_ingest_pipelines
is being removed in favor of manage_pipeline
. See: https://github.com/elastic/elasticsearch/issues/55640
Do we need the cluster: monitor privilege; where does this come from? In the following proposal I removed the privilege as I didn't need it anywhere.
I chatted with DeDe about this. She says cluster: monitor
is required during Beats setup to retrieve cluster details like version info. She assumes we'd need it as well to use the APM Server setup
command. I'll give it a test as well.
ES docs for built-in APM user are outdated; they are pointing to the 7.0 APM Server docs and referencing a deprecated way for configuring monitoring
Good find. ~I'll open a PR to fix this today.~ Fixed in https://github.com/elastic/elasticsearch/pull/56537, https://github.com/elastic/elasticsearch/pull/56538, https://github.com/elastic/elasticsearch/pull/56539 .
APM Server agent configuration management minimal required privilege (tested): read access to Kibana APM space. There is no built-in role available for this. Describe how to create user with role that only grants read access to Kibana APM space check with @sqren if read permissions are expected to be enough (instead of read+write permissions).
@sqren, In addition, a question about the Agent config API. After some testing it seems read
access to the APM feature privilege is good enough to GET Agent config values, and creating or delete configs requires all
access to the APM feature privilege. Does that sound right?
~Still figuring out the Annotation API privileges in https://github.com/elastic/kibana/pull/65963#discussion_r422759066. I think it's something like this:~
Confirmed that annotation API privileges are:
Feature: APM
--> all
Index: observability-annotations
. Privileges: create_index
, create_doc
, manage
, and read
.
@simitt Thanks for starting this initiative. Much needed as the permission requirements are already very complex to understand - for users and devs alike.
@sqren, In addition, a question about the Agent config API. After some testing it seems read access to the APM feature privilege is good enough to GET Agent config values, and creating or delete configs requires all access to the APM feature privilege. Does that sound right?
That sounds right 👍
check with @sqren if read permissions are expected to be enough (instead of read+write permissions).
Read permissions to apm-*
is sufficient to view data in apm ui. Additionally the user must have read privilege to the APM app via Kibana Security.
Ensure APM built-in roles have privileges for all features they should support.
The existing built-in roles for APM are up-to-date.
Also addressing the question if we should add built-in roles for the APM Server setup
and data ingestion
phases:
Whenever the APM Server requires additional privileges for new features, the privileges could be added to the built in role and existing users automatically would get the updated privileges when upgrading the APM Server. We would be providing such a built-in role for configurable user data indices though. Whenever a user changes the apm-*
indices to have another prefix or wants to split the indices more fine granular and make use of document level security, the built-in roles could not be used as they would be fixed for apm-*
indices.
We decided to not introduce built-in roles for the APM Server at the moment. When providing a fine-granular up-to-date documentation, creating a role and the user vs. creating the user with a built-in role is almost the same experience. The privileges required by the server are not expected to change often (and haven't in the past). To be revisited in the future if flexibility of index creation changes.
@simitt Question about Agent config management. You list the following users:
read
access to APM feature.all
access to APM feature and apm_user
.Can you clarify what the difference in use-case is for these users? It sounds like the Kibana user is used to view and update Agent configs from within the APM app. What is the APM Server user used for? Reading central config values?
@bmorelli25 As you say there should be at least two users. In this example there'll be three users:
read
access to APM featureall
access to APM feature and apm_user
roleread
access to APM feature and apm_user
roleAPM Server system user
APM agents fetch their configs by connecting to Kibana through the publicly available APM Server. So in other words: the agent requests are proxied and authenticated through the APM Server. Therefore the APM Server needs to have read
access when calling the agent config search endpoint in Kibana: GET /api/apm/settings/agent-configuration/search
.
Important: the APM Server does NOT need access to APM indices to make this request.
Joe
Can login to Kibana, see APM data (access to apm indicies via apm_user
role) and can view/create/update/delete agent configs (via all
access)
Carole
This user is not strictly necessary but is worth mentioning. This user only has read
on APM feature and therefore cannot create/delete/update agent configs.
👋 Quick update: Docs PRs have been opened and are ready for review!
Relevant follow-up tasks:
@sqren, In addition, a question about the Agent config API. After some testing it seems read access to the APM feature privilege is good enough to GET Agent config values [...]
That sounds right 👍
Do you know if it is also true for 7.3 and 7.4 ? Using the built-in role kibana_user
to access the agent configuration seems to work only from 7.5
Edit: I just realized that it is a little bit off topic re. the purpose of this issue, sorry about that
Do you know if it is also true for 7.3 and 7.4 ?
@barkbay No, I'm pretty sure that is not the case. The initial security model required the user to have access to the internal index for agent configs (.apm-agent-configuration
).
We changed that around 7.4 (can't remember the exact version - I can try dig into it if necessary) to the security model we have today that only requires the user to have read
or all
access to the apm feature.
@bmorelli25 thanks for all the effort you put in, great outcome! Closing this issue now as the PRs are merged.
Review all features the APM Server supports that are related to either connecting to Kibana or Elasticsearch, and review which privileges are required for these features. E.g. look into sourcemap fetching, agent config management, monitoring, API Key authentication, .. Ensure APM built-in roles have privileges for all features they should support.
Use current docs related to built-in roles and feature roles for the review and ensure they are clear and up to date.