-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve support for transforms #370
Comments
Thanks for a good summary of improvements. Re space-specific transforms .. Future changes to the transforms privileges model have a strong dependency on a better understanding of the plans for a unified platform security model. Within the current limitations of the kibana and elasticsearch split privileges model - transforms supports Spaces as follows. The transform destination index is a normal elasticsearch index. When using Kibana Spaces, create a Kibana Data View on the destination index for the required Space. Spaces are supported. The long running transform persistent task is not space aware (in the same way that an elasticsearch index or an ILM policy is not space aware). This is by design. Ideally this item should be de-scoped (or shown as long term) from Fleet integrations work as this has caused confusion in the past. |
@sophiec20 Thanks for clarifying. I agree, I don't think space-specific transforms is a high priority for us, though installing package assets with the appropriate privileges I'm told has been/could be a blocker. @joshdover wrote some detailed suggestions re: API keys here, but I definitely don't know enough about the trade-offs re: auto-upgrade or how important that should be. #293 (comment) |
@szeitlin Your comment mostly refers to |
@sophiec20 Correct, but it doesn't seem to be a ticket or linked to something that's obviously roadmapped to be working on in 8.4 or 8.5? Is there a plan for how to address that issue? It looked like it was still under discussion, and from what I've read so far, it seems potentially complex to decide how we want the privilege model to work, nevermind how to implement it. |
I've opened a new issue for this: elastic/kibana#137278 |
As of 8.5, Fleet now supports installing transforms based on the new spec, thanks to @qn895's work in elastic/kibana#134321. Next steps as I understand it:
|
Another item for 8.6+ is to support installing transforms in order of dependency elastic/kibana#142891. Originally in the spec, we have it such that we can and should determine the order automatically. However, one thought is perhaps the author of the package should be able to specify the order of which transforms should be installed? |
We merged basic transforms support in #307, but there are several outstanding and related problems that remain to be solved.
Short-term - hard blockers for next security packages
kibana_system
index privileges kibana#137278kibana_system
is currently used to install all transforms. This is necessary in the Endpoint case where the package must be upgraded along with Kibana. CSP may need this too.kibana_system
to be granted read/write privileges to transform src/dest indicesMedium-term - likely not hard blockers for next security packages
Long-term
The text was updated successfully, but these errors were encountered: