Skip to content

Commit 9870ade

Browse files
skhskh
authored
[Fleet] Reduce permissions. (#90302)
* Reduce permissions. * Change permissions back. * Reducing permissions on fleet_enroll role - 'write', 'create_index' -> 'auto_configure', 'create_doc' * Remove indices:admin/auto_create from privileges.
1 parent 57d9dd1 commit 9870ade

File tree

4 files changed

+10
-53
lines changed

4 files changed

+10
-53
lines changed

x-pack/plugins/fleet/server/services/api_keys/index.ts

Lines changed: 2 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -22,17 +22,8 @@ export async function generateOutputApiKey(
2222
cluster: ['monitor'],
2323
index: [
2424
{
25-
names: [
26-
'logs-*',
27-
'metrics-*',
28-
'traces-*',
29-
'.ds-logs-*',
30-
'.ds-metrics-*',
31-
'.ds-traces-*',
32-
'.logs-endpoint.diagnostic.collection-*',
33-
'.ds-.logs-endpoint.diagnostic.collection-*',
34-
],
35-
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
25+
names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
26+
privileges: ['auto_configure', 'create_doc'],
3627
},
3728
],
3829
},

x-pack/plugins/fleet/server/services/setup.ts

Lines changed: 2 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -192,17 +192,8 @@ async function putFleetRole(callCluster: CallESAsCurrentUser) {
192192
cluster: ['monitor', 'manage_api_key'],
193193
indices: [
194194
{
195-
names: [
196-
'logs-*',
197-
'metrics-*',
198-
'traces-*',
199-
'.ds-logs-*',
200-
'.ds-metrics-*',
201-
'.ds-traces-*',
202-
'.logs-endpoint.diagnostic.collection-*',
203-
'.ds-.logs-endpoint.diagnostic.collection-*',
204-
],
205-
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
195+
names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
196+
privileges: ['auto_configure', 'create_doc'],
206197
},
207198
],
208199
},

x-pack/test/fleet_api_integration/apis/agents_setup.ts

Lines changed: 2 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -60,17 +60,8 @@ export default function (providerContext: FtrProviderContext) {
6060
cluster: ['monitor', 'manage_api_key'],
6161
indices: [
6262
{
63-
names: [
64-
'logs-*',
65-
'metrics-*',
66-
'traces-*',
67-
'.ds-logs-*',
68-
'.ds-metrics-*',
69-
'.ds-traces-*',
70-
'.logs-endpoint.diagnostic.collection-*',
71-
'.ds-.logs-endpoint.diagnostic.collection-*',
72-
],
73-
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
63+
names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
64+
privileges: ['auto_configure', 'create_doc'],
7465
allow_restricted_indices: false,
7566
},
7667
],

x-pack/test/fleet_api_integration/apis/fleet_setup.ts

Lines changed: 4 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -62,15 +62,8 @@ export default function (providerContext: FtrProviderContext) {
6262
cluster: ['monitor', 'manage_api_key'],
6363
indices: [
6464
{
65-
names: [
66-
'logs-*',
67-
'metrics-*',
68-
'traces-*',
69-
'.ds-logs-*',
70-
'.ds-metrics-*',
71-
'.ds-traces-*',
72-
],
73-
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
65+
names: ['logs-*', 'metrics-*', 'traces-*'],
66+
privileges: ['create_doc', 'indices:admin/auto_create'],
7467
allow_restricted_indices: false,
7568
},
7669
],
@@ -101,17 +94,8 @@ export default function (providerContext: FtrProviderContext) {
10194
cluster: ['monitor', 'manage_api_key'],
10295
indices: [
10396
{
104-
names: [
105-
'logs-*',
106-
'metrics-*',
107-
'traces-*',
108-
'.ds-logs-*',
109-
'.ds-metrics-*',
110-
'.ds-traces-*',
111-
'.logs-endpoint.diagnostic.collection-*',
112-
'.ds-.logs-endpoint.diagnostic.collection-*',
113-
],
114-
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
97+
names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
98+
privileges: ['auto_configure', 'create_doc'],
11599
allow_restricted_indices: false,
116100
},
117101
],

0 commit comments

Comments
 (0)