Home Explore Help
Register Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Add read permissions for osquery manager result indices (#130824)

* Add read permissions for osquery manager result indices

* Update docs/changelog/130824.yaml
Konrad Szwarc 1 month ago
parent
713ac41369
commit
061562a990
3 changed files with 66 additions and 0 deletions
Split View Show Diff Stats
  1. 5 0
      docs/changelog/130824.yaml
  2. 6 0
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
  3. 55 0
      x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

+ 5 - 0
docs/changelog/130824.yaml
View File 

@@ -0,0 +1,5 @@
 
+pr: 130824
 
+summary: Add read permissions for osquery manager result indices
 
+area: Security
 
+type: enhancement
 
+issues: []

+ 6 - 0
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
View File 

@@ -327,6 +327,7 @@ class KibanaOwnedReservedRoleDescriptors {
 
                         ".logs-osquery_manager.actions-*",
 
                         ".logs-osquery_manager.action.responses-*",
 
                         "logs-osquery_manager.action.responses-*",
 
+                        "logs-osquery_manager.result-*",
 
                         "profiling-*"
 
                     )
 
                     .privileges(
 
@@ -369,6 +370,11 @@ class KibanaOwnedReservedRoleDescriptors {
 
                     .indices(".logs-osquery_manager.actions-*")
 
                     .privileges("auto_configure", "create_index", "read", "index", "write", "delete")
 
                     .build(),
 
+                // Osquery manager specific results. Kibana reads from these to display results to the user.
 
+                RoleDescriptor.IndicesPrivileges.builder()
 
+                    .indices("logs-osquery_manager.result-*")
 
+                    .privileges("read", "view_index_metadata")
 
+                    .build(),
 
 
                 // Third party agent (that use non-Elastic Defend integrations) info logs
 
                 // indices.

+ 55 - 0
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View File 

@@ -1059,6 +1059,33 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
 
         });
 
 
+        Arrays.asList("logs-osquery_manager.result-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((osqIndex) -> {
 
+            final IndexAbstraction indexAbstraction = mockIndexAbstraction(osqIndex);
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(indexAbstraction), is(false));
 
+            assertThat(
 
+                kibanaRole.indices().allowedIndicesMatcher(TransportDeleteIndexAction.TYPE.name()).test(indexAbstraction),
 
+                is(false)
 
+            );
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(GetIndexAction.NAME).test(indexAbstraction), is(true));
 
+            assertThat(
 
+                kibanaRole.indices().allowedIndicesMatcher(TransportCreateIndexAction.TYPE.name()).test(indexAbstraction),
 
+                is(false)
 
+            );
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportIndexAction.NAME).test(indexAbstraction), is(false));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportDeleteAction.NAME).test(indexAbstraction), is(false));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportSearchAction.TYPE.name()).test(indexAbstraction), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportMultiSearchAction.TYPE.name()).test(indexAbstraction), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportGetAction.TYPE.name()).test(indexAbstraction), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(READ_CROSS_CLUSTER_NAME).test(indexAbstraction), is(false));
 
+            assertThat(
 
+                kibanaRole.indices().allowedIndicesMatcher(TransportUpdateSettingsAction.TYPE.name()).test(indexAbstraction),
 
+                is(true)
 
+            );
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportPutMappingAction.TYPE.name()).test(indexAbstraction), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
 
+        });
 
+
 
         // Tests for third-party agent indices that `kibana_system` has only `read` access
 
         Arrays.asList(
 
             "logs-sentinel_one." + randomAlphaOfLength(randomIntBetween(0, 13)),
 
@@ -1617,6 +1644,34 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
 
         });
 
 
+        // read-only datastream for osquery_manager
 
+        Arrays.asList("logs-osquery_manager.result-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((osqIndex) -> {
 
+            final IndexAbstraction indexAbstraction = mockIndexAbstraction(osqIndex);
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(indexAbstraction), is(false));
 
+            assertThat(
 
+                kibanaRole.indices().allowedIndicesMatcher(TransportDeleteIndexAction.TYPE.name()).test(indexAbstraction),
 
+                is(false)
 
+            );
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(GetIndexAction.NAME).test(indexAbstraction), is(true));
 
+            assertThat(
 
+                kibanaRole.indices().allowedIndicesMatcher(TransportCreateIndexAction.TYPE.name()).test(indexAbstraction),
 
+                is(false)
 
+            );
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportIndexAction.NAME).test(indexAbstraction), is(false));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportDeleteAction.NAME).test(indexAbstraction), is(false));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportSearchAction.TYPE.name()).test(indexAbstraction), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportMultiSearchAction.TYPE.name()).test(indexAbstraction), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportGetAction.TYPE.name()).test(indexAbstraction), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(READ_CROSS_CLUSTER_NAME).test(indexAbstraction), is(false));
 
+            assertThat(
 
+                kibanaRole.indices().allowedIndicesMatcher(TransportUpdateSettingsAction.TYPE.name()).test(indexAbstraction),
 
+                is(true)
 
+            );
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportPutMappingAction.TYPE.name()).test(indexAbstraction), is(true));
 
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
 
+        });
 
+
 
         // read-only datastream for csp indices
 
         Arrays.asList("logs-cloud_security_posture.findings-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((cspIndex) -> {
 
             final IndexAbstraction indexAbstraction = mockIndexAbstraction(cspIndex);