apm-server icon indicating copy to clipboard operation
apm-server copied to clipboard

Published 20 hours ago verified publisher icon elastic

docs: Update standalone apm server API key required privileges

Open carsonip opened this issue 2 years ago • 7 comments

The documentation around required APM server API keys privileges is outdated. https://www.elastic.co/guide/en/apm/guide/current/feature-roles.html

The privileges that the fleet-server has are listed directly in ES https://github.com/elastic/elasticsearch/blob/main/x-pack/docs/en/rest-api/security/get-service-accounts.asciidoc?plain=1#L64C28-L85. These privileges need to contain all the privileges that apm needs, as it is the basis for creating API Keys when using the Elastic Agent and Fleet are created from them.

carsonip avatar Jan 17 '23 11:01 carsonip

@bmorelli25 could you take a look at this please, we had some users running into issues on upgrade as we haven't updated the required security privileges.

simitt avatar Jan 25 '23 08:01 simitt

Taking a look at this now, and I'm slightly confused. The page you link to in the docs is for standalone APM Server, but those privileges are for Fleet. Also, what role are changes required for? All of them?

bmorelli25 avatar Mar 10 '23 21:03 bmorelli25

Okay so...

ES docs indicate the following cluster level privileges for Fleet Server:

  "cluster":[
    "manage_own_api_key",
    "monitor"
  ],

ES docs indicate privileges are required on the following indices:

  "indices":[
    {
      "names":[
        "logs-*",
        "metrics-*",
        "traces-*",
        ".logs-endpoint.diagnostic.collection-*",
        ".logs-endpoint.action.responses-*"
      ],

ES docs indicate that the following index-level privileges are needed:

          "privileges": [
            "write",
            "create_index",
            "auto_configure"
          ],

These privileges need to contain all the privileges that apm needs, as it is the basis for creating API Keys when using the Elastic Agent and Fleet are created from them.

So our API key creation needs to include all of the above, plus the following application-level privileges:

  "applications":[
    {
      "application":"apm",
      "privileges":[
        "event:write"
      ],
      "resources":[
        "*"
      ]
    }
  ]

Which results in this. Does this sound right?

{
  "cluster":[
    "manage_own_api_key",
    "monitor"
  ],
  "indices":[
    {
      "names":[
        "logs-*",
        "metrics-*",
        "traces-*",
        ".logs-endpoint.diagnostic.collection-*",
        ".logs-endpoint.action.responses-*"
      ],
      "privileges":[
        "write",
        "create_index",
        "auto_configure"
      ],
      "allow_restricted_indices":false
    }
  ],
  "applications":[
    {
      "application":"apm",
      "privileges":[
        "event:write"
      ],
      "resources":[
        "*"
      ]
    }
  ]
}

bmorelli25 avatar Mar 28 '23 00:03 bmorelli25

@bmorelli25 I don't think that the apm-server standalone needs all of these privileges; will try to dig into this in the next couple of days.

simitt avatar Mar 30 '23 09:03 simitt

@bmorelli25 apologies for coming back to this that late; the applications privileges should only be needed for elastic apm agents communicating with the apm-server, but not for ApiKeys used by the apm-server to communicate to ES. I also don't think that the server needs cluster privileges (but haven't tested this out). IMO this should be enough:

  "indices":[
    {
      "names":[
        "logs-*",
        "metrics-*",
        "traces-*"
      ],
      "privileges":[
        "write",
        "create_index",
        "auto_configure"
      ]
    }
  ]

simitt avatar Oct 19 '23 06:10 simitt

Files need to be updated:

  • docs/access-api-keys.asciidoc
  • docs/feature-roles.asciidoc

carsonip avatar Oct 19 '23 09:10 carsonip