Add run_as_kibana_system check per transform basis

elastic · Apr 13, 2023 · d9b9da5 · d9b9da5
1 parent 5bb5690
commit d9b9da5
Showing 1 changed file with 13 additions and 17 deletions.
diff --git a/x-pack/plugins/fleet/server/services/epm/elasticsearch/transform/install.ts b/x-pack/plugins/fleet/server/services/epm/elasticsearch/transform/install.ts
@@ -64,6 +64,7 @@ interface TransformInstallation extends TransformModuleBase {
   content: any;
   transformVersion?: string;
   installationOrder?: number;
+  runAsKibanaSystem?: boolean;
 }
 
 const installLegacyTransformsAssets = async (
@@ -257,6 +258,7 @@ const processTransformAssetsPerModule = (
           installationOrder,
           transformVersion,
           content,
+          runAsKibanaSystem,
         });
         transformsSpecifications.get(transformModuleId)?.set('transformVersionChanged', true);
       } else {
@@ -291,6 +293,7 @@ const processTransformAssetsPerModule = (
             installationOrder,
             transformVersion,
             content,
+            runAsKibanaSystem,
           });
           transformsSpecifications.get(transformModuleId)?.set('transformVersionChanged', true);
           aliasesRefs.push(allIndexAliasName, latestIndexAliasName);
@@ -374,11 +377,6 @@ const processTransformAssetsPerModule = (
     aliasesRefs,
     transformsToRemove,
     transformsToRemoveWithDestIndex,
-    // There might be multiple transforms in package, with only one set with run_as_kibana_system: false,
-    // in which case, we need to force all transforms in package to have runAsKibanaSystem: false
-    runAsKibanaSystem: !sortedTransforms.some(
-      (t) => t.content._meta?.run_as_kibana_system === false
-    ),
   };
 };
 
@@ -408,7 +406,7 @@ const installTransformsAssets = async (
       aliasesRefs,
       transformsToRemove,
       transformsToRemoveWithDestIndex,
-      runAsKibanaSystem,
+      // runAsKibanaSystem,
     } = processTransformAssetsPerModule(
       installablePackage,
       installNameSuffix,
@@ -421,15 +419,13 @@ const installTransformsAssets = async (
     // so we set runAsKibanaSystem: true by default (e.g. when run_as_kibana_system set to true/not defined in yml file).
     // If package should be installed as the logged in user, set run_as_kibana_system: false,
     // and pass es-secondary-authorization in header when creating the transforms.
-    const secondaryAuth = runAsKibanaSystem
-      ? undefined
-      : await generateTransformSecondaryAuthHeaders({
-          authorizationHeader,
-          logger,
-          pkgName: installablePackage.name,
-          pkgVersion: installablePackage.version,
-          username,
-        });
+    const secondaryAuth = await generateTransformSecondaryAuthHeaders({
+      authorizationHeader,
+      logger,
+      pkgName: installablePackage.name,
+      pkgVersion: installablePackage.version,
+      username,
+    });
 
     // ensure the .latest alias points to only the latest
     // by removing any associate of old destination indices
@@ -595,7 +591,7 @@ const installTransformsAssets = async (
           logger,
           transform,
           startTransform: transformsSpecifications.get(transform.transformModuleId)?.get('start'),
-          secondaryAuth,
+          secondaryAuth: transform.runAsKibanaSystem !== false ? undefined : secondaryAuth,
         });
         installedTransforms.push(installTransform);
       }
@@ -607,7 +603,7 @@ const installTransformsAssets = async (
           logger,
           transform,
           startTransform: transformsSpecifications.get(transform.transformModuleId)?.get('start'),
-          secondaryAuth,
+          secondaryAuth: transform.runAsKibanaSystem !== false ? undefined : secondaryAuth,
         });
       });