Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.x] Conditionally add agentless index permissions (#203810) #205719

Merged
merged 2 commits into from
Jan 9, 2025
Merged

[8.x] Conditionally add agentless index permissions (#203810) #205719

merged 2 commits into from
Jan 9, 2025

Conversation

orestisfl
Copy link
Contributor

Backport

This will backport the following commits from main to 8.x:

Questions ?

Please refer to the Backport tool documentation

@orestisfl
Conditionally add agentless index permissions (elastic#203810)
f7be4a0 
## Summary

Adds necessary permissions to write to the `agentless-*` index. See:
- Elasticsearch PR: elastic/elasticsearch#118644
- Context: elastic/security-team#11104

As part of elastic/security-team#11104, we
need to write integration data that needs to be persistent. The
implementation we are working on, uses Elasticsearch as the storage
mechanism for this data.

Normally, integrations write to data streams instead of normal ES
indices. However, data streams cannot provide a generic implementation
for our use case and thus we need a normal ES index.

This PR grants permissions from the fleet service account to the
agentless integrations to write to `agentless-*` ES indices.

In
`x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts`
there are other examples of other integrations that need ES index
permissions so there is prior art in doing this. The difference with
this PR however, is that we need to conditionally merge the extra
`agentless-*` permissions with any potential existing data stream
permissions since we are dealing with arbitrary agentless integrations.

(cherry picked from commit d0166b6)

# Conflicts:
#	x-pack/platform/plugins/shared/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts
@orestisfl orestisfl enabled auto-merge (squash) January 7, 2025 12:47
@botelastic botelastic bot added the Team:Fleet Team label for Observability Data Collection Fleet team label Jan 7, 2025
@orestisfl orestisfl mentioned this pull request Jan 7, 2025
Merged
9 tasks
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@orestisfl orestisfl self-assigned this Jan 7, 2025
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

cc @orestisfl

@orestisfl orestisfl merged commit 61e783a into elastic:8.x Jan 9, 2025
8 checks passed
@orestisfl orestisfl deleted the backport/8.x/pr-203810 branch January 9, 2025 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliaElastic juliaElastic juliaElastic approved these changes

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

@seanrathier seanrathier Awaiting requested review from seanrathier

Assignees

@orestisfl orestisfl

Labels
backport Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@orestisfl @elasticmachine @juliaElastic