Pipeline management restrictions

Hi,

We have a new request from a user who wants to use Filebeat in our multi-tenant cluster.
The problem is, that Filebeat is trying to create Index Templates and Pipelines, which we restricted due to the multi-tenant nature of our cluster.

My question is the following : is it possible to safely give access to the two aforementioned privileges without jeopardizing the other tenants ?

Sincerely yours,

Fabien

Only quick update: Just wanted to say that this was not forgotten, we are still looking into it.

@faxmodem You’d like to know if adding create Index Templates and Pipelines permissions to a user that has access to multiple tenants will take effect in all tenants?

No, that’s not what I wanted to know - sorry if I was not being clear enough.
Our user has only access to one “tenant”.
In other words, he has read and write permissions to “foo-*”.
Now he wants to manage pipelines and templates. However, those have no knowledge about “tenants”.
I don’t want users of tenantA to be able to modify tenantB’s templates and pipelines.

Do you mean “foo-*” index pattern in Kibana?

I wasn’t referring to kibana, even though I used the “tenant” concept.

@faxmodem As per Search Guard documentation “tenant” concept regards Kibana.

In regard to pipelines and templates management. As you’ve stated, these permissions are not tenant aware.
If the user with read/write access to Tenant A will get mentioned permissions, he will manage pipelines and templates of the assigned index in the cluster.

I know, and you’re right. I should not have used the term tenant even the quotes didn’t help :slight_smile:

To avoid mentioning tenants, let me rephrase:
I want users to be able to manage pipelines and templates in a restricted manner. For instance, user A should only be able to manage and use pipelines affected to him or his “team”.

@faxmodem The permission to manage pipelines and templates must be assigned at the cluster and admin levels. Once permission is given to the user, the user will manage all the pipelines and index templates in the cluster. There is no mechanism to restrict the scope of these permissions.

Please take a look at the following built-in action groups.

SGS_CLUSTER_MANAGE_INDEX_TEMPLATES
cluster:admin/component_template/*
indices:admin/index_template/*
indices:admin/template/*

SGS_CLUSTER_MANAGE_PIPELINES action groups.
cluster:admin/ingest/pipeline/*

Hi, thanks for confirming this.
I really think this is a big issue, as template and pipeline management cannot be shared among '"tenants"' in a cluster, as you said it is not possible to restrict it. It’s either all or nothing :frowning:

We will put some research into whether there might be a way to handle this in a more granular way.

See Research: Index multi tenancy (#147) · Issues · search-guard / Search Guard Suite Enterprise · GitLab

Feel free to add your thoughts there if you want.

1 Like