Create manage_connector privilege#110128
Conversation
jedrazb
added
>non-issue
:Security/Authorization
|
Documentation preview: |
elasticsearchmachine
added
the
Team:SearchOrg
|
Pinging @elastic/es-security (Team:Security) |
|
Pinging @elastic/ent-search-eng (Team:SearchOrg) |
| "manage_rollup", | ||
| "manage_saml", | ||
| "manage_search_application", | ||
| "manage_search_connector", |
There was a problem hiding this comment.
Wouldn't it be required for the docs' tests? I think it makes sense to keep it there, as this console block references an actual privilege API output. Since the privilege is in ES, it will be returned, but I think we can skip documenting the manage_search_connector in the dedicated section.
| # This is fragile - it needs to be updated every time we add a new cluster/index privilege | ||
| # I would much prefer we could just check that specific entries are in the array, but we don't have | ||
| # an assertion for that |
There was a problem hiding this comment.
unrelated to your changes, but I always wondered if this comment is still accurate and why couldn't we just assert the contents of the array
| ); | ||
|
|
||
| private static final Set<String> MANAGE_SEARCH_APPLICATION_PATTERN = Set.of("cluster:admin/xpack/application/search_application/*"); | ||
| private static final Set<String> MANAGE_SEARCH_CONNECTOR_PATTERN = Set.of("cluster:admin/xpack/connector/*"); |
There was a problem hiding this comment.
one side effect is that manage_search_connector will include the read_connector_secret and write_connector_secret, but that is the intention right?
There was a problem hiding this comment.
It is a requirement that the user managing connectors has write_connector_secrets, so that API keys can be stored for the Connector (only relevant if the Connector is native). So that is okay to include.
Regarding read_connector_secrets, I don't think it's a requirement for users to have this. It should only be important for the Connector itself to read the API key.
If a user needs read_connector_secrets for some reason they could manually assign it to whichever role anyway, there is no restriction from doing this.
There was a problem hiding this comment.
Good spot! I see that it's possible to define excludePatterns in the ActionClusterPrivilege constructor.
* Constructor for {@link ActionClusterPrivilege} that defines what cluster actions are accessible for the
* user with this privilege after excluding the action patterns {@code excludedActionPatterns} from the allowed action patterns
* {@code allowedActionPatterns}
If I read the javadoc correctly it should allow us to match cluster:admin/xpack/connector/* while it's possible to exclude secrets-related privileges.
@navarone-feekery do you think the best way forward is to exclude all secret-related privileges from manage_search_connector to keep status quo? Right now API key generated used by connector service doesn't have this privilege right?
There was a problem hiding this comment.
do you think the best way forward is to exclude all secret-related privileges from manage_search_connector to keep status quo?
I think so. Users don't need read_connector_secrets, and having write_connector_secrets be separate for now is okay. It is already a documented requirement for creating a native connector. It has a slightly different scope and we can always add it later if we expand secrets to do more things (like storing sensitive RCF values).
Right now API key generated used by connector service doesn't have this privilege right?
Yes that's correct. Native connectors use the Enterprise Search system role to fetch the API key from connector secrets, then native connectors use that API key to index documents. The API key that a Connector uses to index docs itself doesn't need access to secrets.
|
My understanding is that the new privilege isn't currently used by anything, but implicitly grants Do you think splitting it into more granular privileges might make sense and is there a use case for that? Such as
Thank you! |
|
If you want this new privilege in serverless it needs to be added here. You will need to merge this PR before adding it and then either add it to the serverless registry or to the tests “ignore” list, otherwise the serveless ci will fail. |
|
Hey @jfreden thank you for reviewing. Answering your questions:
Yes, you got it right :) The story is that:
All of our current use-cases require to have read and write permissions at the same time, so to me it makes sense to "package" is as a single
Actually we might want to exclude some secrets-related patterns from that privilege, do I understand correctly that we can use
You are right that
I will def reach out to you before merging to clarify exact steps 😅 |
jedrazb
changed the title
manage_search_connector privilegemanage_connector privilege
… secrets patterns from this privilege
|
Thanks @jedrazb!
Sounds like there is a use case for Kibana where they need only read access, so adding a
In general we should avoid naming privileges based on our internal org structure since it might change and it can confuse users.
After thinking more about this I think the expectation on the I brought this PR up in todays Elasticsearch security team meeting and we have some concerns around reading and writing secrets through the API. In general we should not write or read secrets through the API, but instead use the elasticsearch-keystore and store the secrets in secure settings. I can see that the read and write secrets are used to store api keys needed by the connectors and it might not be possible to build the functionality you're trying to build using the keystore. Is using the keystore something you considered? CC: @bytebilly |
|
Hi @jfreden thank you for bringing this topic up in the Elasticsearch security team meeting
Sure, we can include
This case is tricky. We don't necessarily expect that a user/service that has How strongly are you feeling that
I don't have the full context about this decision. IIRC we followed the pattern established by Fleet (see read_fleet_secrets and write_fleet_secrets). I can share more context from the implementation doc in Slack. I'm not sure if using elasticsearch-keystore was considered. I could tag some folks with more context if this doesn't answer your question. Let me know! |
|
Thanks for adding that @jedrazb and thanks for the added context! Even though this change is not related to the secrets, I feel hesitant to approving it until I better understand this part:
The security team is concerned about how the Fleet secrets index was handled and we don't have any recommendation on how this should ideally be built. I'm going to sync with the rest of the team and get back to you as soon as I can, probably early next week. I understand this is time critical and will try to move as fast as possible. |
Since privilege names are often namespaced and used with globs, we want to ensure that if there's a future privilege like `manage_connector_secrets`, that it is not implicitly included in this new privileg's <name>*. By extending the privilege name to include "_state", we better namespace this distinct from any "_secrets" namespace.
| "manage_pipeline", | ||
| "manage_ilm", | ||
| // For connectors telemetry | ||
| "monitor_connector_state", |
There was a problem hiding this comment.
question: do I understand correctly this new privilege will eventually replace existing RoleDescriptor.IndicesPrivileges.builder().indices(".elastic-connectors*").privileges("read") index privilege? If so, do we have any issue tracking this cleanup work to maintain the kibana_system in good and current shape?
There was a problem hiding this comment.
You do understand that correctly. We'll be moving .elastic-connectors* to be system indices, so I'm pretty sure we'll be forced to clean this up.
There was a problem hiding this comment.
You do understand that correctly. We'll be moving .elastic-connectors* to be system indices,
Okay, thanks for confirming.
so I'm pretty sure we'll be forced to clean this up.
I hope so, but I'm not sure. Let's record this somewhere so we don't forget (context: we're trying really hard to contain what kibana_system is allowed to do).
jfreden
left a comment
jfreden
left a comment
There was a problem hiding this comment.
Sorry to go back and forth on this but I misunderstood some of the feedback from the rest of the team.
The manage_connector_state name is not aligned with other privileges we have and manage_connector is implicitly expected to include secrets to align with other manage_* privileges.
Adding one of these privileges is a big deal since we can't just change them once they're added for backwards compatibility reasons. To add manage_connector (with secrets management) we need to first align on a security model. We do not feel comfortable with adding a privilege that could result in users storing unencrypted secrets in Elasticsearch.
This reverts commit 70b89ee. After further discussion with the security team, this name change is not needed after all since the secret management privileges aren't currently prefixed with "manage_"
jfreden
left a comment
jfreden
left a comment
There was a problem hiding this comment.
LGTM! Thanks for addressing and discussing our concerns!
azasypkin
left a comment
azasypkin
left a comment
There was a problem hiding this comment.
Changes in x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java LGTM (not expanding Kibana System privileges as equivalent privileges were already granted).
…ys (#187361) ## Summary We introduced `manage_connector` privilege in ES: elastic/elasticsearch#110128 Let's use it for new generated API keys for connectors. Note: this privilege was merged to ES yesterday, so CI might fail if the ES image was not updated yet. ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - We will add this privilege in ES docs - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
9 participants
Changes
Define
manage_connectorandmonitor_connectorprivileges that will be required role by Connector APIs. Migration of existing logic and endpoints to use this privilege will be done in next steps.I followed pattern from a previous similar PR: #97941 , few notes:
manage_connectoris not used as of now, I didn't add this to public docs in:docs/reference/security/authorization/privileges.asciidoc(issue to do it once we start using this for api auth)