Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherry-pick #17672 to 7.x: Update Security docs to handle new roles / spaces / app perms #17832

Merged
merged 1 commit into from
Apr 21, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions filebeat/docs/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
:github_repo_name: beats
:discuss_forum: beats/{beatname_lc}
:beat_default_index_prefix: {beatname_lc}
:beat_kib_app: {kib} Logs
:has_ml_jobs: yes
:has_central_config:
:has_solutions:
Expand Down
1 change: 1 addition & 0 deletions heartbeat/docs/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
:github_repo_name: beats
:discuss_forum: beats/{beatname_lc}
:beat_default_index_prefix: {beatname_lc}
:beat_kib_app: {kib} Uptime
:deb_os:
:rpm_os:
:mac_os:
Expand Down
1 change: 1 addition & 0 deletions journalbeat/docs/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
:github_repo_name: beats
:discuss_forum: beats/{beatname_lc}
:beat_default_index_prefix: {beatname_lc}
:beat_kib_app: {kib} Logs
:deb_os:
:rpm_os:
:linux_os:
Expand Down
43 changes: 26 additions & 17 deletions libbeat/docs/security/users.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,11 @@ strategy.

IMPORTANT: Setting up {beatname_uc} is an admin-level task that requires extra
privileges. As a best practice, grant the setup role to administrators only, and
use a less restrictive role for event publishing.
use a more restrictive role for event publishing.

Administrators who set up {beatname_uc} typically need to load mappings,
dashboards, and other objects used to index data into {es} and visualize it in
{kib}.
{kib}.

To grant users the required privileges:

Expand Down Expand Up @@ -63,7 +63,7 @@ endif::has_ml_jobs[]
|Index
|`manage` on +{beat_default_index_prefix}-*+ indices
|Set up aliases used by ILM

ifdef::has_ml_jobs[]
|Index
|`read` on +{beat_default_index_prefix}-*+ indices
Expand All @@ -78,13 +78,13 @@ NOTE: These instructions assume that you are using the default name for
match your index naming pattern.

. Assign the *setup role*, along with the following built-in roles, to users who
need to set up {beatname_uc}:
need to set up {beatname_uc}:
+
[options="header"]
|====
|Role | Purpose

|`kibana_user`
|`kibana_admin`
|Load dependencies, such as example dashboards, if available, into {kib}

|`ingest_admin`
Expand All @@ -109,9 +109,9 @@ Omit any roles that aren't relevant in your environment.
{security} provides built-in users and roles for monitoring. The privileges and
roles needed depend on the method used to collect monitoring data.

[IMPORTANT]
[IMPORTANT]
.Important note for {ecloud} users
====
====
Built-in users are not available when running our
https://www.elastic.co/cloud/elasticsearch-service[hosted {ess}]
on {ecloud}. To send monitoring data securely, create a monitoring user and
Expand Down Expand Up @@ -152,7 +152,7 @@ If you don't use the +{beat_monitoring_user}+ user:
|====

. Assign the *monitoring role*, along with the following built-in roles, to
users who need to monitor {beatname_uc}:
users who need to monitor {beatname_uc}:
+
[options="header"]
|====
Expand Down Expand Up @@ -184,7 +184,7 @@ If you don't use the `remote_monitoring_user` user:
. Create a user on the production cluster who will collect and send monitoring
information.

. Assign the following roles to the user:
. Assign the following roles to the user:
+
[options="header"]
|====
Expand Down Expand Up @@ -216,7 +216,7 @@ endif::serverless[]
Users who publish events to {es} need to create and write to {beatname_uc}
indices. To minimize the privileges required by the writer role, use the
<<privileges-to-setup-beats,setup role>> to pre-load dependencies. This section
assumes that you've pre-loaded dependencies.
assumes that you've pre-loaded dependencies.

ifndef::no_ilm[]
When using ILM, turn off the ILM setup check in the {beatname_uc} config file before
Expand All @@ -243,7 +243,7 @@ NOTE: The `monitor` cluster privilege and the `create_doc` privilege on
ifndef::apm-server[]
|Cluster
|`monitor`
|Retrieve cluster details (e.g. version)
|Retrieve cluster details (e.g. version)
endif::apm-server[]

ifndef::no_ilm[]
Expand Down Expand Up @@ -283,7 +283,7 @@ endif::apm-server[]
. Assign the *writer role* to users who will index events into {es}.

[[kibana-user-privileges]]
==== Grant privileges and roles needed to read {beatname_uc} data
==== Grant privileges and roles needed to read {beatname_uc} data from {kib}

{kib} users typically need to view dashboards and visualizations that contain
{beatname_uc} data. These users might also need to create and edit dashboards
Expand All @@ -306,6 +306,16 @@ the following privilege:
|Index
|`read` on +{beat_default_index_prefix}-*+ indices
|Read data indexed by {beatname_uc}

| Spaces
| `Read` or `All` on Dashboards, Visualize, and Discover
| Allow the user to view, edit, and create dashboards, as well as browse data.

ifdef::beat_kib_app[]
| Spaces
| `Read` or `All` on {beat_kib_app}
| Allow the use of {beat_kib_app}
endif::[]
|====

. Assign the *reader role*, along with the following built-in roles, to
Expand All @@ -315,17 +325,16 @@ users who need to read {beatname_uc} data:
|====
|Role | Purpose

|`kibana_user` or `kibana_dashboard_only_user`
|Use {kib}. `kibana_dashboard_only_user` grants read-only access to dashboards.
| `monitoring_user`
| Allow users to monitor the health of {beatname_uc} itself. Only assign this role to users who manage {beatname_uc}.

ifdef::has_central_config[]
|`beats_admin`
|Create and manage configurations in Beats central management. Only assign this
role to users who need to use Beats central management.
+
endif::[]
|====
+
Omit any roles that aren't relevant in your environment.
endif::apm-server[]

ifdef::apm-server[]
Expand All @@ -340,7 +349,7 @@ data:
|Use the APM UI

|`admin`
|Read and update APM Agent configuration via Kibana
|Read and update APM Agent configuration via {kib}
|====
endif::apm-server[]

Expand Down
1 change: 1 addition & 0 deletions metricbeat/docs/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
:github_repo_name: beats
:discuss_forum: beats/{beatname_lc}
:beat_default_index_prefix: {beatname_lc}
:beat_kib_app: {kib} Metrics
:has_central_config:
:has_solutions:
:has_docker_label_ex:
Expand Down