Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use less restrictive API to check if template exists #13847

Merged
merged 3 commits into from
Oct 3, 2019
Merged

Use less restrictive API to check if template exists #13847

merged 3 commits into from
Oct 3, 2019

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented Sep 30, 2019
edited
Loading

Switches from using HEAD _template/{name} to GET _cat/templates/{name} to check if a template exists before trying to load it.

The significance is that the _cat/templates API requires only the monitor cluster privilege and not the far more permissive manage_index_templates. With this change, the default Beats configuration works without any unnecessary write privileges for publishing. (Note: The documentation recommended setting setup.template.enabled to false which turns off the template check completely.)

This is one of three PRs to reduce the Beats privileges required in code and documentation:

  1. Use less restrictive API to check if template exists (this PR)
  2. Do not check for alias when setup.ilm.check_exists is false (Do not check for alias when setup.ilm.check_exists is false #13848)
  3. Docs: Update writer role with least required privileges (Docs: Update writer role with least required privileges #13849)

Relates: #10241

@cwurm cwurm added the libbeat label Sep 30, 2019
@cwurm cwurm requested a review from urso September 30, 2019 10:08
This was referenced Sep 30, 2019
Merged
Merged
urso
urso reviewed Sep 30, 2019
View reviewed changes
libbeat/template/load.go Outdated Show resolved Hide resolved
@cwurm cwurm force-pushed the libbeat_template_get branch from b391371 to 6d26df7 Compare October 2, 2019 11:02
@cwurm cwurm force-pushed the libbeat_template_get branch from 6d26df7 to e51e01f Compare October 2, 2019 15:25
@cwurm cwurm merged commit b28ac98 into elastic:master Oct 3, 2019
@cwurm cwurm deleted the libbeat_template_get branch October 3, 2019 08:27
@dedemorton dedemorton mentioned this pull request Oct 5, 2019
Closed
cwurm pushed a commit that referenced this pull request Oct 14, 2019
Docs: Update writer role with least required privileges (#13849)
f20aee7 
Updates the writer role documentation based on #13847 and #13848. Also corrects some mistakes.
1. Changes `read from` to the correct `write to` (Beats does not read from indices).
2. Setting `setup.template.enabled` to `false` is no longer necessary after #13847.
3. Setting `setup.ilm.overwrite` to `false` is unnecessary if `setup.ilm.check_exists` is already `false` (even today).
4. Adds a note about only `monitor` and `create_doc` being always necessary, explicitly calling out the most secure configuration (following #13847 and #13848).
5. Correct what `monitor` is for: It's for checking things like cluster version and license, not "sending monitor info".
6. Replaces `manage_pipeline` with the read-only `cluster:admin/ingest/pipeline/get`. Unfortunately, there is no read-only cluster role for pipelines, so it requires this privilege. But better than the very permissive `manage_pipeline` that allows changing any pipeline.
7. Changes `index` to the more restrictive, append-only `create_doc` (introduced in elastic/elasticsearch#45806).
@cwurm cwurm mentioned this pull request Oct 14, 2019
Closed
@urso urso added the v7.5.0 label Oct 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@urso urso urso approved these changes

Assignees
No one assigned
Labels
libbeat v7.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cwurm @urso