Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] Add support for dynamic_namespace and dynamic_dataset #154732

Merged
merged 10 commits into from
Apr 18, 2023
Merged

[Fleet] Add support for dynamic_namespace and dynamic_dataset #154732

merged 10 commits into from
Apr 18, 2023

Conversation

joshdover
Copy link
Contributor

@joshdover joshdover commented Apr 11, 2023
edited
Loading

Summary

Closes #134971

This adds support for data_streams in packages to specify elasticsearch.dynamic_dataset and elasticsearch.dynamic_namespace in order to get wildcard privileges on the API key that is granted by Fleet Server to the agent running this integration. This is necessary for integrations that want to support centralized document routing via ingest pipelines.

I opted to keep this simple and not de-dupe the overlap between the wildcard privileges granted in one data stream with the other privileges for other data streams. Elasticsearch will already handle this correctly when defining the API key role definition (I verified manually).

A new integration test has been added with a test package that defines these options. This is necessary because there are many moving parts to the code that needed to change to support this.

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@apmmachine
Copy link
Contributor

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@joshdover joshdover added Team:Fleet Team label for Observability Data Collection Fleet team enhancement New value added to drive a business result release_note:enhancement labels Apr 14, 2023
@joshdover joshdover marked this pull request as ready for review April 14, 2023 17:46
@joshdover joshdover requested a review from a team as a code owner April 14, 2023 17:46
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@joshdover joshdover mentioned this pull request Apr 14, 2023
Closed
@ruflin
Copy link
Member

ruflin commented Apr 17, 2023

Is the following assumption correct:

  • Set elasticsearch.dynamic_dataset: true for a logs and a metrics dataset
  • Set elasticsearch.dynamic_namespace: true for a logs and a metrics dataset
  • The resulting permissions are logs-*-*,metrics-*-* basically all logs and metrics (I know, more fine grained permissions will coexist which is fine)

@joshdover
Copy link
Contributor Author

@ruflin Yes, that should be right. I can update the integration test to include a metrics data stream as well if you'd like.

kpollich
kpollich approved these changes Apr 17, 2023
View reviewed changes
Copy link
Member

@kpollich kpollich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM, but let's resolve the open conversation around moving this option to a higher level in the package manifest if needed.

...k/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.test.ts Show resolved Hide resolved
x-pack/plugins/fleet/server/services/epm/archive/parse.ts Show resolved Hide resolved
x-pack/plugins/fleet/server/services/package_policy.ts Show resolved Hide resolved
x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts Show resolved Hide resolved
@joshdover joshdover changed the title Add support for dynamic_namespace and dynamic_dataset [Fleet] Add support for dynamic_namespace and dynamic_dataset Apr 18, 2023
@joshdover joshdover added the backport:skip This commit does not require backporting label Apr 18, 2023
@joshdover joshdover enabled auto-merge (squash) April 18, 2023 11:33
@joshdover joshdover merged commit 9f126a9 into elastic:main Apr 18, 2023
@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #28 / logstash pipelines delete "before all" hook: load pipelines archive for "should delete the specified pipelines"

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
fleet 994 996 +2
Unknown metric groups

API count

id before after diff
fleet 1099 1101 +2

ESLint disabled line counts

id before after diff
securitySolution 432 435 +3

Total ESLint disabled count

id before after diff
securitySolution 512 515 +3

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@kpollich kpollich mentioned this pull request Apr 21, 2023
Closed
@axw axw mentioned this pull request May 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsoriano jsoriano jsoriano left review comments

@kpollich kpollich kpollich approved these changes

Assignees
No one assigned
Labels
backport:skip This commit does not require backporting enhancement New value added to drive a business result release_note:enhancement Team:Fleet Team label for Observability Data Collection Fleet team v8.8.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Fleet] Dynamic data stream namespaces
8 participants
@joshdover @apmmachine @elasticmachine @ruflin @kibana-ci @jsoriano @kpollich @kibanamachine