Skip to content

Extend kibana-system permissions to manage security entities#133968

Merged
kubasobon merged 15 commits intomainfrom
entity-store-history-permissions
Sep 16, 2025
Merged

Extend kibana-system permissions to manage security entities#133968
kubasobon merged 15 commits intomainfrom
entity-store-history-permissions

Conversation

@kubasobon
Copy link
Member

@kubasobon kubasobon commented Sep 2, 2025

As part of the entity store feature we need the Kibana system user to be able to access .entities.* indices and manage .entities.*.history* indices.

What is the entity store?

The entity store is a new security feature which extracts entities (hosts & users) from logs and metrics data.

The documents in the .entities.v1.latest.security* index each represent an entity extracted from event data, properties are added as we see them over time, for example for a host we store ip, mac, and OS information, for a user we store things like email, name, roles. Documents in .entities.v1.history.* indices represent historical snapshots of entities at certain points in time.
@kubasobon kubasobon self-assigned this Sep 2, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Sep 2, 2025

@kubasobon please enable the option "Allow edits and access to secrets by maintainers" on your PR. For more information, see the documentation.
@elasticsearchmachine elasticsearchmachine added v9.2.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Sep 2, 2025
@kubasobon kubasobon added >enhancement Team:Security Meta label for security team v9.2.0 and removed external-contributor Pull request authored by a developer outside the Elasticsearch team v9.2.0 labels Sep 2, 2025
@kubasobon kubasobon marked this pull request as ready for review September 4, 2025 08:15
@kubasobon kubasobon requested a review from a team as a code owner September 4, 2025 08:15
@elasticsearchmachine elasticsearchmachine added needs:triage Requires assignment of a team area label and removed Team:Security Meta label for security team labels Sep 4, 2025
@kubasobon kubasobon added the Team:Cloud Security Meta label for Cloud Security team label Sep 4, 2025
@elasticsearchmachine elasticsearchmachine removed the needs:triage Requires assignment of a team area label label Sep 4, 2025
@kubasobon kubasobon added the :Core/Infra/Core Core issues without another label label Sep 4, 2025
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Sep 4, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Sep 4, 2025

Pinging @elastic/es-core-infra (Team:Core/Infra)
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Sep 4, 2025

Hi @kubasobon, I've created a changelog YAML for you.
@kubasobon kubasobon mentioned this pull request Sep 4, 2025
Merged
8 tasks
@kc13greiner kc13greiner self-requested a review September 4, 2025 12:03
@kc13greiner
Copy link
Contributor

kc13greiner commented Sep 4, 2025

Heya @kubasobon !

Thank you for the detailed description 🚀

2 questions:

  • Does the kibana_system user need read/write to all .entities.* or could it be limited to .entities.*security*?
  • Does the kibana_system users need the create/manage for .entities.*history*?

Just looking for clarification for these additional privileges
@kubasobon
Copy link
Member Author

kubasobon commented Sep 5, 2025

Hi @kc13greiner, and thank you for taking a look here.
@kc13greiner
Copy link
Contributor

kc13greiner commented Sep 8, 2025

@kubasobon

We were looking to widen the permissions to .entities.*, but I can't see the harm in setting it to .entities.security. cc: @hop-dev, @romulets WDYT?

This would be better, if possible. Let me know what you and the team decide
@kubasobon
Copy link
Member Author

kubasobon commented Sep 10, 2025

@kc13greiner I went back and checked, unfortunately some of our indices (already in use) include .entities.v1.latest.noop, so .entities.*.security* pattern would not work for us.
@jeramysoucy
Copy link

jeramysoucy commented Sep 11, 2025

@kubasobon Just chiming in as @kc13greiner is on PTO

I went back and checked, unfortunately some of our indices (already in use) include .entities.v1.latest.noop, so .entities..security pattern would not work for us.

Would it be a pain to create patterns for the applicable security index patterns? e.g. .entities.v1.latest*, .entities.*.security*, etc.
Or am I misunderstanding the scope here, and is everything in .entities.* applicable?
@kubasobon
Copy link
Member Author

kubasobon commented Sep 12, 2025

@jeramysoucy Thanks for stepping in! I have widened the scope from .entities.v1.latest.security* to .entities.* as this allows us to cover all the current Entity Store needs:

.entities.*history* is a bit of an outlier and needs extra permissions, since it's entirely managed by Task Manager tasks.
jeramysoucy
jeramysoucy approved these changes Sep 12, 2025
View reviewed changes
Copy link

@jeramysoucy jeramysoucy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kubasobon Thanks for the explanation. We're ok with this, given the needs you've stated above. Thanks for your patience!
@kubasobon kubasobon requested a review from a team as a code owner September 15, 2025 08:21
@kubasobon
Copy link
Member Author

kubasobon commented Sep 15, 2025

@jeramysoucy & @kc13greiner Sorry to bother you again gentlemen, but it seems I missed adding the new index pattern to viewer and editor roles (it is meant to have exact same permissions as latest pattern). Also added kibana-system permissions for reset index, which I mentioned in the list, but forgot to push.
@kubasobon
Copy link
Member Author

kubasobon commented Sep 16, 2025
edited
Loading

Extended dot-index exemption for .entities indices based on #116266
@elasticsearchmachine elasticsearchmachine added the serverless-linked Added by automation, don't add manually label Sep 16, 2025
@kubasobon kubasobon removed the serverless-linked Added by automation, don't add manually label Sep 16, 2025
@kubasobon kubasobon merged commit bdbc642 into main Sep 16, 2025
35 of 36 checks passed
@kubasobon kubasobon deleted the entity-store-history-permissions branch September 16, 2025 15:50
mridula-s109 pushed a commit to mridula-s109/elasticsearch that referenced this pull request Sep 17, 2025
@kubasobon @mridula-s109
Extend kibana-system permissions to manage security entities (elastic…
6db0e84 
…#133968)

* extend kibana-system permissions for .entities.* indices

* trigger CI

* Update docs/changelog/133968.yaml

* update viewer/editor & add reset management

* fix typos

* [CI] Auto commit changes from spotless

* extend validation exemption on .entities indices

* [CI] Update transport version definitions

---------

Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
gmjehovich pushed a commit to gmjehovich/elasticsearch that referenced this pull request Sep 18, 2025
@kubasobon @gmjehovich
Extend kibana-system permissions to manage security entities (elastic…
fc5390a 
…#133968)

* extend kibana-system permissions for .entities.* indices

* trigger CI

* Update docs/changelog/133968.yaml

* update viewer/editor & add reset management

* fix typos

* [CI] Auto commit changes from spotless

* extend validation exemption on .entities indices

* [CI] Update transport version definitions

---------

Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
@shainaraskas shainaraskas mentioned this pull request Oct 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

:Core/Infra/Core Core issues without another label >enhancement Team:Cloud Security Meta label for Cloud Security team Team:Core/Infra Meta label for core/infra team v9.2.0

5 participants

@kubasobon @elasticsearchmachine @kc13greiner @jeramysoucy @romulets