Add permissions for apm_user for datastreams (#72739)

simitt · henningandersen · commit 1893ab188049 · 2021-05-05T13:42:59.000+02:00
Based on recent conversations around data streams for APM, there is no final decision yet that apm data streams will be created per instrumented Service. If datastreams are not created per service, the current pattern for the apm_user permissions need to be adapted to not only support <type>-apm.* but also <type>-apm-*. fixes #72737
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -209,10 +209,16 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                             // APM Server under fleet (data streams)
                             RoleDescriptor.IndicesPrivileges.builder().indices("logs-apm.*")
                             .privileges("read", "view_index_metadata").build(),
+                            RoleDescriptor.IndicesPrivileges.builder().indices("logs-apm-*")
+                            .privileges("read", "view_index_metadata").build(),
                             RoleDescriptor.IndicesPrivileges.builder().indices("metrics-apm.*")
                             .privileges("read", "view_index_metadata").build(),
+                            RoleDescriptor.IndicesPrivileges.builder().indices("metrics-apm-*")
+                            .privileges("read", "view_index_metadata").build(),
                             RoleDescriptor.IndicesPrivileges.builder().indices("traces-apm.*")
                             .privileges("read", "view_index_metadata").build(),
+                            RoleDescriptor.IndicesPrivileges.builder().indices("traces-apm-*")
+                            .privileges("read", "view_index_metadata").build(),
 
                             // Machine Learning indices. Only needed for legacy reasons
                             // Can be removed in 8.0
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -1268,12 +1268,18 @@ public void testAPMUserRole() {
         assertNoAccessAllowed(role, "foo");
         assertNoAccessAllowed(role, "foo-apm");
         assertNoAccessAllowed(role, "foo-logs-apm.bar");
+        assertNoAccessAllowed(role, "foo-logs-apm-bar");
         assertNoAccessAllowed(role, "foo-traces-apm.bar");
+        assertNoAccessAllowed(role, "foo-traces-apm-bar");
         assertNoAccessAllowed(role, "foo-metrics-apm.bar");
+        assertNoAccessAllowed(role, "foo-metrics-apm-bar");
 
         assertOnlyReadAllowed(role, "logs-apm." + randomIntBetween(0, 5));
+        assertOnlyReadAllowed(role, "logs-apm-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, "traces-apm." + randomIntBetween(0, 5));
+        assertOnlyReadAllowed(role, "traces-apm-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, "metrics-apm." + randomIntBetween(0, 5));
+        assertOnlyReadAllowed(role, "metrics-apm-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, "apm-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, AnomalyDetectorsIndexFields.RESULTS_INDEX_PREFIX + AnomalyDetectorsIndexFields.RESULTS_INDEX_DEFAULT);
 
