search

elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
1k stars 24.82k forks source link

[APM] Add Kibana privileges to built-in user #57201

Open sorenlouv opened 4 years ago

sorenlouv commented 4 years ago

The built-in apm_user already has read access to the default apm indices (apm-*) by default:

https://github.com/elastic/elasticsearch/blob/dd4290b8485fee0b990f52e0162a4443862f82c1/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java#L165-L171

However, simply assigning the apm_user role to a user will not grant them access to use APM in Kibana. They'll still need application privileges for APM.

Suggestion To improve the getting started experience I'm proposing that apm_user role should have read privileges to the APM feature in Kibana.

I'm thinking something like this:

new RoleDescriptor.ApplicationResourcePrivileges[] {
    RoleDescriptor.ApplicationResourcePrivileges.builder()
        .application("kibana-*").resources("*").privileges("feature_apm.read").build()
},
kobelb commented 4 years ago

TLDR; I don't think we should change the apm_user role to grant access to the APM feature in Kibana in a minor version as this is a breaking change. This changes the fundamental nature of the apm_user role to no longer just grant access to read the apm-* indices, but to also grant access to the APM feature in all spaces in Kibana.

Currently, users must be assigned the apm_user role (or another role which grants the user access to read from the APM data-indices) in addition to a role which grants them access to the APM feature within one or many Kibana spaces to be able to use APM. If a user is assigned the apm_user role and a role which grants them access to APM in only a single space and then we make this change, they'll be able to see all other spaces.

In my opinion, creating the apm_user role was a mistake, which I can say because I did it.... At the time, the thinking was that this better prepared us for the introduction of feature controls because it would allow us to treat APM like we ended up treating ML and Monitoring. However, when looking into this further we realized that APM behaved like all of the other applications in Kibana and it was not like ML and Monitoring. Therefore, we ended up not taking advantage of the apm_user role and users can grant access to APM like they do all other features in Kibana by using either the kibana_admin reserved role, or creating custom roles which grant varying levels of access to APM in different spaces.

sorenlouv commented 4 years ago

I don't think we should change the apm_user role to grant access to the APM feature in Kibana in a minor version as this is a breaking change

Obviously I'd like to land this sooner rather than later since we are currently getting a bunch of support tickets from users who are confused about the security requirements for APM. But I see your point about breaking expectations so 8.0 will have to do.