Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[apm] Update APM feature roles docs #4193

Merged
merged 19 commits into from
Oct 7, 2024

Conversation

colleenmcginnis
Copy link
Contributor

@colleenmcginnis colleenmcginnis commented Aug 23, 2024

In #3980 (comment), @endorama suggested that we clarify the docs on APM feature roles. Let me know what you think of this approach. I attempted to clarify how feature roles work and which privileges are required for different use cases by:

  • Reframing the intro to feature roles to emphasize that the what we're recommending is to create several feature-related roles and then assign one or more of these roles to each user (or group) based on which features the user needs to access.
  • Providing an example of when a user might need to be assigned multiple roles from this list of feature roles (this needs work).
  • Emphasizing that the Central configuration management role is required in most cases (unless central configuration management is explicitly disabled by the org/user).
  • Putting all roles on a single page to increase the likelihood that the reader will see the context provided in the intro paragraphs.
  • Adding a step at the end of the instructions for creating each role to remind users that they can assign other APM feature roles to the users as needed.

Here's what hasn't been addressed yet:

  • Verify that the privileges listed in each role are correct and reflect the latest version of APM / Elastic as a whole. (I'm not sure how to go about confirming or testing these.)
  • Are these the right feature roles? Are any missing? Should any be removed?

Here's the PR preview: https://observability-docs_bk_4193.docs-preview.app.elstc.co/guide/en/observability/master/apm-feature-roles.html

@endorama let me know what you think of this approach. If we're on the right track, we can iterate in this PR.

cc @simitt @carsonip

@colleenmcginnis colleenmcginnis added backport-8.14 Automated backport with mergify backport-8.15 Automated backport with mergify labels Aug 23, 2024
@colleenmcginnis colleenmcginnis self-assigned this Aug 23, 2024
Copy link
Contributor

A documentation preview will be available soon.

Request a new doc build by commenting
  • Rebuild this PR: run docs-build
  • Rebuild this PR and all Elastic docs: run docs-build rebuild

run docs-build is much faster than run docs-build rebuild. A rebuild should only be needed in rare situations.

If your PR continues to fail for an unknown reason, the doc build pipeline may be broken. Elastic employees can check the pipeline status here.

@carsonip carsonip self-requested a review August 23, 2024 14:04
Copy link
Member

@carsonip carsonip left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verify that the privileges listed in each role are correct and reflect the latest version of APM / Elastic as a whole. (I'm not sure how to go about confirming or testing these.)
Are these the right feature roles? Are any missing? Should any be removed?

Our team should confirm the required privileges. IIUC points to update:

  1. missing privilege to query cluster uuid
  2. mark api key role as deprecated

docs/en/observability/apm/feature-roles.asciidoc Outdated Show resolved Hide resolved
docs/en/observability/apm/feature-roles.asciidoc Outdated Show resolved Hide resolved
docs/en/observability/apm/feature-roles.asciidoc Outdated Show resolved Hide resolved
docs/en/observability/apm/feature-roles.asciidoc Outdated Show resolved Hide resolved
docs/en/observability/apm/feature-roles.asciidoc Outdated Show resolved Hide resolved
docs/en/observability/apm/feature-roles.asciidoc Outdated Show resolved Hide resolved
docs/en/observability/apm/feature-roles.asciidoc Outdated Show resolved Hide resolved
Copy link
Member

@endorama endorama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some comment but overall is already a great improvement 🤩

docs/en/observability/apm/feature-roles.asciidoc Outdated Show resolved Hide resolved
docs/en/observability/apm/feature-roles.asciidoc Outdated Show resolved Hide resolved
docs/en/observability/apm/feature-roles.asciidoc Outdated Show resolved Hide resolved
@endorama
Copy link
Member

endorama commented Sep 6, 2024

I'll take on me to:

  • Verify that the privileges listed in each role are correct and reflect the latest version of APM / Elastic as a whole. (I'm not sure how to go about confirming or testing these.)
  • Are these the right feature roles? Are any missing? Should any be removed?
  • confirm the required privileges to query cluster uuid.
  • confirm if API key role should be mark as deprecated (and if yes when deprecation happened)

@bmorelli25 bmorelli25 added the backport-8.x Automated backport to the 8.x branch with mergify label Sep 12, 2024
@endorama
Copy link
Member

TL;DR: querying cluster uuid requires monitor permission if Elasticsearch security features are enabled or none if not.

Today I researched how to query cluster UUID. My understanding is that apm-server queries Elasticsearch on the / path to obtain it. From the documentation

f the Elasticsearch security features are enabled, you must have the monitor, manage, or all cluster privilege to use this API.

@endorama
Copy link
Member

Regarding the Api Key role, my understanding is that is only needed for the apikey command in apm-server. This command has never been labelled GA, is deprecated since 8.6.0 and will be removed. For this command to work priviliges manage_own_api_key are required. The users should leverage Kibana and Elasticsearch APIs instead.

@endorama
Copy link
Member

endorama commented Sep 23, 2024

I've completed checking for roles/permissions.

  • 🟩 source map role correctly covers using APM source maps in RUM
  • 🟩 privileges checks are allowed without authentication in APM use case (checking own permissions)
  • 🟨 cluster UUID checks are always performed as part of APM server startup preconditions; this check may require monitor permissions if Elasticsearch Security is enabled
  • 🟨 if Tail Based Sampling is enabled a license check is performed; this check requires monitor permissions
  • 🟩 writer role correctly covers ingesting data from APM Server to Elasticsearch
  • 🟥 central config role should correctly cover using Central Config, but I was not able to test it. The current docs mention setting allow_restricted_indices to true but I was not able to understand how to do that from the Roles UI when creating a role. @colleenmcginnis if you have any clarification/input here I'd like to test this one too.
Details

  • SEARCH .apm-source-map here: covered by source map role
  • HasPrivileges request here: does not require privileges
    • HasPrivileges API
      • All users can use this API, but only to determine their own privileges.
        To check the privileges of other users, you must use the run as feature.
  • GET / here:
    • check is performed as part of every run when checking preconditions here
  • GET _license here
  • Bulk here (in go-docappender):
    • Bulk is performed as part of a docappender
      • BulkIndexerItems are added to the configured appedender here
  • SEARCH .apm-agent-configuration here: covered by central config role but I wasn't able to test it because in the UI there seems to be no way to set allow_restricted_indices=true

@colleenmcginnis
Copy link
Contributor Author

The current docs mention setting allow_restricted_indices to true but I was not able to understand how to do that from the Roles UI when creating a role. @colleenmcginnis if you have any clarification/input here I'd like to test this one too.

It looks like that setting was added about 7 months ago by @carsonip in 4834fce. Maybe Carson can provide context? (The related PR and issue don't provide much information.)

@colleenmcginnis
Copy link
Contributor Author

colleenmcginnis commented Sep 24, 2024

Also @endorama ...

cluster UUID checks are always performed as part of APM server startup preconditions; this check may require monitor permissions if Elasticsearch Security is enabled

... can you confirm if this just for the writer role or if it is necessary for all roles? The phrase APM server startup preconditions makes me think it's necessary to do anything, but I wanted to make sure. Also is monitor a cluster or index privileges? It looks like there are both in https://elastic.co/guide/en/elasticsearch/reference/master/security-privileges.html.

@endorama
Copy link
Member

@colleenmcginnis Sorry for the confusion! monitor refers to the cluster privilege. Being it a cluster privilege it's not necessary on all roles but at least 1 needs to have it if:

  • security is enabled
  • tail based sampling is used

I think adding it to the writer role make sense as the checks are performed as part of the usual APM server startup process.

@carsonip
Copy link
Member

The current docs mention setting allow_restricted_indices to true but I was not able to understand how to do that from the Roles UI when creating a role

Apparently there is no option to set allow_restricted_indices in roles UI. Roles created in this UI will have allow_restricted_indices default to false. e.g.

{
  "agentcfg_1": {
    "cluster": [],
    "indices": [
      {
        "names": [
          ".apm-agent-configuration"
        ],
        "privileges": [
          "read"
        ],
        "field_security": {
          "grant": [
            "*"
          ],
          "except": []
        },
        "allow_restricted_indices": false
      }
    ],
    "applications": [],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
  }
}

However, if you create the API key from API Key UI, under "Control security privileges", the example config in the textbox will have allow_restricted_indices configurable. The last time I tested this, agentcfg requires allow_restricted_indices to be true. @endorama would be good if you confirm that again.

@endorama
Copy link
Member

@carsonip I can confirm it's broken with allow_restricted_indices: false. I'll test it with the API key as described.

@endorama
Copy link
Member

@carsonip Tested and it's working! While testing I also went down a rabbit hole for the API Key format that I documented in #4312 so we can address it separately.

endorama
endorama previously approved these changes Oct 4, 2024
Copy link
Member

@endorama endorama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤩 looks great! Thank you!

Copy link
Contributor

@mdbirnstiehl mdbirnstiehl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some little things and some questions about heading hierarchy.

@colleenmcginnis
Copy link
Contributor Author

Some little things and some questions about heading hierarchy.

Thank you! I messed up the headings when I caught up to main today. 🙈

Copy link
Contributor

@mdbirnstiehl mdbirnstiehl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🦭 👍

@colleenmcginnis colleenmcginnis merged commit d6a61fd into elastic:main Oct 7, 2024
3 checks passed
@colleenmcginnis colleenmcginnis deleted the issue-3980 branch October 7, 2024 21:09
mergify bot pushed a commit that referenced this pull request Oct 7, 2024
* initial attempt

* restructure

* fix build

* address initial feedback

* deprecate api key role

* fix typo

* add use cases

* reframe what we mean by users

* fix redirect

* add monitor privilege

* clean up structure

* Update docs/en/observability/apm/feature-roles.asciidoc

Co-authored-by: Edoardo Tenani <[email protected]>

* update docs/en/observability/apm/feature-roles.asciidoc

* Update feature-roles.asciidoc

* update docs/en/observability/apm/feature-roles.asciidoc

* use roles api in central config section

* apply suggestions from code review

Co-authored-by: Mike Birnstiehl <[email protected]>

---------

Co-authored-by: Edoardo Tenani <[email protected]>
Co-authored-by: Mike Birnstiehl <[email protected]>
(cherry picked from commit d6a61fd)

# Conflicts:
#	docs/en/observability/apm/feature-roles.asciidoc
mergify bot pushed a commit that referenced this pull request Oct 7, 2024
* initial attempt

* restructure

* fix build

* address initial feedback

* deprecate api key role

* fix typo

* add use cases

* reframe what we mean by users

* fix redirect

* add monitor privilege

* clean up structure

* Update docs/en/observability/apm/feature-roles.asciidoc

Co-authored-by: Edoardo Tenani <[email protected]>

* update docs/en/observability/apm/feature-roles.asciidoc

* Update feature-roles.asciidoc

* update docs/en/observability/apm/feature-roles.asciidoc

* use roles api in central config section

* apply suggestions from code review

Co-authored-by: Mike Birnstiehl <[email protected]>

---------

Co-authored-by: Edoardo Tenani <[email protected]>
Co-authored-by: Mike Birnstiehl <[email protected]>
(cherry picked from commit d6a61fd)

# Conflicts:
#	docs/en/observability/apm/feature-roles.asciidoc
mergify bot pushed a commit that referenced this pull request Oct 7, 2024
* initial attempt

* restructure

* fix build

* address initial feedback

* deprecate api key role

* fix typo

* add use cases

* reframe what we mean by users

* fix redirect

* add monitor privilege

* clean up structure

* Update docs/en/observability/apm/feature-roles.asciidoc

Co-authored-by: Edoardo Tenani <[email protected]>

* update docs/en/observability/apm/feature-roles.asciidoc

* Update feature-roles.asciidoc

* update docs/en/observability/apm/feature-roles.asciidoc

* use roles api in central config section

* apply suggestions from code review

Co-authored-by: Mike Birnstiehl <[email protected]>

---------

Co-authored-by: Edoardo Tenani <[email protected]>
Co-authored-by: Mike Birnstiehl <[email protected]>
(cherry picked from commit d6a61fd)
colleenmcginnis added a commit that referenced this pull request Oct 7, 2024
* initial attempt

* restructure

* fix build

* address initial feedback

* deprecate api key role

* fix typo

* add use cases

* reframe what we mean by users

* fix redirect

* add monitor privilege

* clean up structure

* Update docs/en/observability/apm/feature-roles.asciidoc

Co-authored-by: Edoardo Tenani <[email protected]>

* update docs/en/observability/apm/feature-roles.asciidoc

* Update feature-roles.asciidoc

* update docs/en/observability/apm/feature-roles.asciidoc

* use roles api in central config section

* apply suggestions from code review

Co-authored-by: Mike Birnstiehl <[email protected]>

---------

Co-authored-by: Edoardo Tenani <[email protected]>
Co-authored-by: Mike Birnstiehl <[email protected]>
(cherry picked from commit d6a61fd)

Co-authored-by: Colleen McGinnis <[email protected]>
colleenmcginnis added a commit that referenced this pull request Oct 7, 2024
* [apm] Update APM feature roles docs (#4193)

* initial attempt

* restructure

* fix build

* address initial feedback

* deprecate api key role

* fix typo

* add use cases

* reframe what we mean by users

* fix redirect

* add monitor privilege

* clean up structure

* Update docs/en/observability/apm/feature-roles.asciidoc

Co-authored-by: Edoardo Tenani <[email protected]>

* update docs/en/observability/apm/feature-roles.asciidoc

* Update feature-roles.asciidoc

* update docs/en/observability/apm/feature-roles.asciidoc

* use roles api in central config section

* apply suggestions from code review

Co-authored-by: Mike Birnstiehl <[email protected]>

---------

Co-authored-by: Edoardo Tenani <[email protected]>
Co-authored-by: Mike Birnstiehl <[email protected]>
(cherry picked from commit d6a61fd)

# Conflicts:
#	docs/en/observability/apm/feature-roles.asciidoc

* fix conflicts

---------

Co-authored-by: Colleen McGinnis <[email protected]>
colleenmcginnis added a commit that referenced this pull request Oct 7, 2024
* [apm] Update APM feature roles docs (#4193)

* initial attempt

* restructure

* fix build

* address initial feedback

* deprecate api key role

* fix typo

* add use cases

* reframe what we mean by users

* fix redirect

* add monitor privilege

* clean up structure

* Update docs/en/observability/apm/feature-roles.asciidoc

Co-authored-by: Edoardo Tenani <[email protected]>

* update docs/en/observability/apm/feature-roles.asciidoc

* Update feature-roles.asciidoc

* update docs/en/observability/apm/feature-roles.asciidoc

* use roles api in central config section

* apply suggestions from code review

Co-authored-by: Mike Birnstiehl <[email protected]>

---------

Co-authored-by: Edoardo Tenani <[email protected]>
Co-authored-by: Mike Birnstiehl <[email protected]>
(cherry picked from commit d6a61fd)

# Conflicts:
#	docs/en/observability/apm/feature-roles.asciidoc

* fix conflicts

---------

Co-authored-by: Colleen McGinnis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-8.x Automated backport to the 8.x branch with mergify backport-8.14 Automated backport with mergify backport-8.15 Automated backport with mergify needs-writer-review
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Request]: apm_writer user does not have enough permissions
5 participants