Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cloud Security] Fix for Deprecated error message #119796

Merged
merged 7 commits into from
Jan 10, 2025
Merged

[Cloud Security] Fix for Deprecated error message #119796

merged 7 commits into from
Jan 10, 2025

Conversation

animehart
Copy link
Contributor

@animehart animehart commented Jan 8, 2025
edited
Loading

This PR is to address Deprecated error message that pops out on Kibana logs
The error/warning message is the following:

Elasticsearch deprecation: 299 Elasticsearch-98a36b3b3ec96c544f06a986349e42dcad88a232 \"the index privilege [index] allowed the update mapping action [indices:admin/mapping/auto_put] on index [logs-cloud_security_posture.scores-default], this privilege will not permit mapping updates in the next major release - users who require access to update mappings must be granted explicit privileges

the fix involves adding privileges to the affected index
more details of this is in this ticket and it will also resolve that ticket

@animehart animehart requested a review from a team as a code owner January 8, 2025 20:24
@elasticsearchmachine elasticsearchmachine added needs:triage Requires assignment of a team area label v9.0.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Jan 8, 2025
@animehart animehart added Team:Cloud Security Meta label for Cloud Security team >bug backport and removed external-contributor Pull request authored by a developer outside the Elasticsearch team needs:triage Requires assignment of a team area label labels Jan 8, 2025
@animehart animehart added v8.18.0 and removed v9.0.0 labels Jan 8, 2025
@animehart
Copy link
Contributor Author

/ci

@animehart animehart added v9.0.0 and removed v8.18.0 labels Jan 8, 2025
jeramysoucy
jeramysoucy reviewed Jan 8, 2025
View reviewed changes
...va/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
@@ -437,7 +438,8 @@ static RoleDescriptor kibanaSystem(String name) {
"index",
"delete",
TransportIndicesAliasesAction.NAME,
TransportUpdateSettingsAction.TYPE.name()
TransportUpdateSettingsAction.TYPE.name(),
TransportAutoPutMappingAction.TYPE.name()
Copy link

@jeramysoucy jeramysoucy Jan 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@animehart Just want to clarify my understanding. The auto_put mapping privilege is being added because in v9.0, it will no longer be implicitly included/allowed with just the index privilege. And the auto_put mapping privilege is needed here to be able to update existing index templates when these ("logs-cloud_security_posture.findings_latest-default*", "logs-cloud_security_posture.scores-default*", "logs-cloud_security_posture.vulnerabilities_latest-default*") indices are created. Is that correct?

Copy link
Contributor Author

@animehart animehart Jan 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, per my understanding based on the discussion here, yes

This solution was firstly suggested by @maxcold , lemme know if I miss anything

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is correct. However, we only experience the deprecation warning with logs-cloud_security_posture.scores-default*, so it might be a good idea to add auto_put only to this index pattern.

Copy link

@jeramysoucy jeramysoucy Jan 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we only experience the deprecation warning with logs-cloud_security_posture.scores-default*, so it might be a good idea to add auto_put only to this index pattern

++ on this
If we can limit where the additional privilege is granted then we should.

@animehart animehart requested a review from jeramysoucy January 9, 2025 21:22
@animehart animehart merged commit 2b0c81c into elastic:main Jan 10, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxcold maxcold maxcold left review comments

@jeramysoucy jeramysoucy jeramysoucy approved these changes

Assignees
No one assigned
Labels
backport >bug Team:Cloud Security Meta label for Cloud Security team v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@animehart @maxcold @jeramysoucy @elasticsearchmachine