-
Notifications
You must be signed in to change notification settings - Fork 8.6k
[Ai4DSoc][Serverless] Update search_ai_lake tier specific roles
#229919
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
ashokaditya
merged 18 commits into
elastic:main
from
ashokaditya:task/pre-defined-roles-ai4dsoc
Aug 8, 2025
Merged
Changes from 13 commits
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
b23744a
Update search_ai_lake tier specific roles
ashokaditya f3ce0bc
update names
ashokaditya 545703d
update ES script to allow setting product tier
ashokaditya 6a90d55
[CI] Auto-commit changed files from 'node scripts/eslint_all_files --…
kibanamachine 78daf03
fix ES startup for non search_ai_lake tiers
ashokaditya 763db18
[CI] Auto-commit changed files from 'node scripts/eslint_all_files --…
kibanamachine 1843c72
Merge branch 'main' into task/pre-defined-roles-ai4dsoc
ashokaditya 84d4640
review changes
ashokaditya 278c5a6
review changes
ashokaditya 855cf2b
review changes
ashokaditya 7913b7f
update codeowners for the new roles file
ashokaditya 7fed1f4
check if tier specific role file exists
ashokaditya c17029e
Merge branch 'main' into task/pre-defined-roles-ai4dsoc
ashokaditya c8bfdaf
fix naming
ashokaditya 701eaf2
Merge branch 'main' into task/pre-defined-roles-ai4dsoc
ashokaditya 930c3ff
Merge branch 'main' into task/pre-defined-roles-ai4dsoc
ashokaditya 54c79dc
Merge branch 'main' into task/pre-defined-roles-ai4dsoc
ashokaditya 7279672
Merge branch 'main' into task/pre-defined-roles-ai4dsoc
ashokaditya File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 1 addition & 3 deletions
4
...platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
130 changes: 130 additions & 0 deletions
130
...es/shared/kbn-es/src/serverless_resources/project_roles/security/search_ai_lake/roles.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,130 @@ | ||
| # Predefined roles for "Security" "SearchAiLake" (tier) project types | ||
| # Source: https://github.com/elastic/elasticsearch-controller/blob/main/internal/config/roles/security.search_ai_lake.yaml | ||
|
|
||
| _search_ai_lake_analyst: | ||
| metadata: | ||
| _public: true | ||
| _reserved: true | ||
| cluster: | ||
| - "monitor_ml" | ||
| - "monitor_connector" | ||
| indices: | ||
| - names: | ||
| - ".alerts-security*" | ||
| - ".siem-signals-*" | ||
| - ".preview.alerts-security*" | ||
| - ".internal.preview.alerts-security*" | ||
| - ".adhoc.alerts-security*" | ||
| - ".internal.adhoc.alerts-security*" | ||
| - ".internal.alerts-security*" | ||
| - "security_solution-alert-*" | ||
| privileges: | ||
| - "read" | ||
| - "view_index_metadata" | ||
| - names: | ||
| - ".lists*" | ||
| - ".items*" | ||
| - ".fleet-agents*" | ||
| - ".fleet-actions*" | ||
| - "risk-score.risk-score-*" | ||
| - ".entities.v1.latest.security_*" | ||
| - ".ml-anomalies-*" | ||
| - "security_solution-*.misconfiguration_latest*" | ||
| - ".elastic-connectors" | ||
| privileges: | ||
| - "read" | ||
| - names: | ||
| - "synthetics-*-" | ||
| - "metrics-*-" | ||
| - "logs-*-" | ||
| - "traces-*-" | ||
| - "profiling-*" | ||
| privileges: | ||
| - "view_index_metadata" | ||
| - "read" | ||
| applications: | ||
| - application: "kibana-.kibana" | ||
| privileges: | ||
| - "feature_ml.read" | ||
| - "feature_siemV3.all" | ||
| - "feature_securitySolutionCasesV2.all" | ||
| - "feature_securitySolutionAssistant.all" | ||
| - "feature_securitySolutionAttackDiscovery.all" | ||
| - "feature_builtInAlerts.all" | ||
| - "feature_actions.all" | ||
| - "feature_discover_v2.read" | ||
| - "feature_savedQueryManagement.read" | ||
| - "feature_indexPatterns.read" | ||
| - "feature_fleetv2.read" | ||
| resources: "*" | ||
| run_as: [] | ||
|
|
||
| _search_ai_lake_soc_manager: | ||
| metadata: | ||
| _public: true | ||
| _reserved: true | ||
| cluster: | ||
| - "monitor_ml" | ||
| - "monitor_connector" | ||
| indices: | ||
| - names: | ||
| - "apm-*-transaction*" | ||
| - "traces-apm*" | ||
| - "auditbeat-*" | ||
| - "endgame-*" | ||
| - "filebeat-*" | ||
| - "logs-*" | ||
| - "packetbeat-*" | ||
| - "winlogbeat-*" | ||
| - "logstash-*" | ||
| - ".asset-criticality.asset-criticality-*" | ||
| - "security_solution-*.misconfiguration_latest*" | ||
| privileges: | ||
| - "read" | ||
| - "write" | ||
| - names: | ||
| - ".alerts-security*" | ||
| - ".siem-signals-*" | ||
| - ".preview.alerts-security*" | ||
| - ".internal.preview.alerts-security*" | ||
| - ".adhoc.alerts-security*" | ||
| - ".internal.adhoc.alerts-security*" | ||
| - ".internal.alerts-security*" | ||
| privileges: | ||
| - "read" | ||
| - "write" | ||
| - "manage" | ||
| - "view_index_metadata" | ||
| - names: | ||
| - ".lists*" | ||
| - ".items*" | ||
| privileges: | ||
| - "read" | ||
| - "write" | ||
| - "view_index_metadata" | ||
| - names: | ||
| - "metrics-endpoint.metadata_current_*" | ||
| - ".fleet-agents*" | ||
| - ".fleet-actions*" | ||
| - "risk-score.risk-score-*" | ||
| - ".entities.v1.latest.security_*" | ||
| - ".ml-anomalies-*" | ||
| privileges: | ||
| - "read" | ||
| applications: | ||
| - application: "kibana-.kibana" | ||
| privileges: | ||
| - "feature_siemV3.all" | ||
| - "feature_siemV3.global_artifact_management_all" | ||
| - "feature_siemV3.workflow_insights_all" | ||
| - "feature_securitySolutionCasesV2.all" | ||
| - "feature_securitySolutionAssistant.all" | ||
| - "feature_securitySolutionAttackDiscovery.all" | ||
| - "feature_actions.all" | ||
| - "feature_builtInAlerts.all" | ||
| - "feature_indexPatterns.all" | ||
| - "feature_discover_v2.all" | ||
| - "feature_savedQueryManagement.all" | ||
| - "feature_ml.all" | ||
| - "feature_fleetv2.all" | ||
| resources: "*" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,7 +9,7 @@ | |
|
|
||
| import chalk from 'chalk'; | ||
| import execa from 'execa'; | ||
| import fs from 'fs'; | ||
| import fs, { existsSync } from 'fs'; | ||
| import Fsp from 'fs/promises'; | ||
| import pRetry from 'p-retry'; | ||
| import { resolve, basename, join } from 'path'; | ||
|
|
@@ -64,11 +64,22 @@ interface BaseOptions extends ImageOptions { | |
| } | ||
|
|
||
| export const serverlessProjectTypes = new Set<string>(['es', 'oblt', 'security', 'chat']); | ||
| export const ServerlessProductTiers = new Set<string>([ | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nittest of all nits: should start with small letter
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nice catch. Fixed that in c8bfdaf |
||
| 'essentials', | ||
| 'logs_essentials', | ||
| 'complete', | ||
| 'search_ai_lake', | ||
| ]); | ||
| export const isServerlessProjectType = (value: string): value is ServerlessProjectType => { | ||
| return serverlessProjectTypes.has(value); | ||
| }; | ||
|
|
||
| export type ServerlessProjectType = 'es' | 'oblt' | 'security' | 'chat'; | ||
| export type ServerlessProductTier = | ||
| | 'essentials' | ||
| | 'logs_essentials' | ||
| | 'complete' | ||
| | 'search_ai_lake'; | ||
|
|
||
| export interface DockerOptions extends EsClusterExecOptions, BaseOptions { | ||
| dockerCmd?: string; | ||
|
|
@@ -79,6 +90,8 @@ export interface ServerlessOptions extends EsClusterExecOptions, BaseOptions { | |
| host?: string; | ||
| /** Serverless project type */ | ||
| projectType: ServerlessProjectType; | ||
| /** Product tier for serverless project */ | ||
| productTier?: ServerlessProductTier; | ||
| /** Clean (or delete) all data created by the ES cluster after it is stopped */ | ||
| clean?: boolean; | ||
| /** Full path where the ES cluster will store data */ | ||
|
|
@@ -630,6 +643,7 @@ export async function setupServerlessVolumes(log: ToolingLog, options: Serverles | |
| files, | ||
| resources, | ||
| projectType, | ||
| productTier, | ||
| dataPath = 'stateless', | ||
| } = options; | ||
| const objectStorePath = resolve(basePath, dataPath); | ||
|
|
@@ -689,8 +703,21 @@ export async function setupServerlessVolumes(log: ToolingLog, options: Serverles | |
| }, {} as Record<string, string>) | ||
| : {}; | ||
|
|
||
| const tierSpecificRolesFileExists = (filePath: string): boolean => { | ||
| try { | ||
| return existsSync(filePath); | ||
| } catch (e) { | ||
| return false; | ||
| } | ||
| }; | ||
|
|
||
| // Read roles for the specified projectType | ||
| const rolesResourcePath = resolve(SERVERLESS_ROLES_ROOT_PATH, projectType, 'roles.yml'); | ||
| const tierSpecificRolesResourcePath = | ||
| productTier && resolve(SERVERLESS_ROLES_ROOT_PATH, projectType, productTier, 'roles.yml'); | ||
| const rolesResourcePath = | ||
| tierSpecificRolesResourcePath && tierSpecificRolesFileExists(tierSpecificRolesResourcePath) | ||
| ? tierSpecificRolesResourcePath | ||
| : resolve(SERVERLESS_ROLES_ROOT_PATH, projectType, 'roles.yml'); | ||
|
|
||
| const resourcesPaths = [...SERVERLESS_RESOURCES_PATHS, rolesResourcePath]; | ||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
productTieris optional with this change to minimise the changes needed in all the files that usesrc/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.ymlfor security serverless tests.