From 141b38a08345bcabf9728b2c36d3b52d041186ac Mon Sep 17 00:00:00 2001
From: Antoine Cotten <hello@acotten.com>
Date: Fri, 18 Nov 2022 21:25:10 +0100
Subject: [PATCH] feat(ext/metricbeat): Further drop perms for monitoring

The built-in 'remote_monitoring_user' has full permissions on monitoring
indices, which is more than Metricbeat needs to collect metrics from
remote components.
---
 .env                                         | 8 ++++----
 .github/workflows/ci.yml                     | 2 +-
 docker-compose.yml                           | 6 +++---
 extensions/filebeat/README.md                | 6 ++++++
 extensions/heartbeat/README.md               | 6 ++++++
 extensions/metricbeat/README.md              | 6 ++++++
 extensions/metricbeat/config/metricbeat.yml  | 8 ++++----
 extensions/metricbeat/metricbeat-compose.yml | 2 +-
 setup/entrypoint.sh                          | 3 ++-
 9 files changed, 33 insertions(+), 14 deletions(-)

diff --git a/.env b/.env
index 1bddff4..d609c41 100644
--- a/.env
+++ b/.env
@@ -27,8 +27,8 @@ KIBANA_SYSTEM_PASSWORD='changeme'
 # https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
 BEATS_SYSTEM_PASSWORD=''
 
-# User 'remote_monitoring_user' (built-in)
+# User 'monitoring_internal' (custom)
 #
-# The user Metricbeat uses when collecting and storing monitoring information in Elasticsearch.
-# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
-REMOTE_MONITORING_USER_PASSWORD=''
+# The user Metricbeat uses to collect monitoring data from stack components.
+# https://www.elastic.co/guide/en/elasticsearch/reference/current/how-monitoring-works.html
+MONITORING_INTERNAL_PASSWORD=''
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 93ca073..ea00c51 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -49,7 +49,7 @@ jobs:
                  -e 's/\(LOGSTASH_INTERNAL_PASSWORD=\)'\''changeme'\''/\1testpasswd/g' \
                  -e 's/\(KIBANA_SYSTEM_PASSWORD=\)'\''changeme'\''/\1testpasswd/g' \
                  -e 's/\(BEATS_SYSTEM_PASSWORD=\)'\'\''/\1testpasswd/g' \
-                 -e 's/\(REMOTE_MONITORING_USER_PASSWORD=\)'\'\''/\1testpasswd/g' .env
+                 -e 's/\(MONITORING_INTERNAL_PASSWORD=\)'\'\''/\1testpasswd/g' .env
 
       ##########################################################
       #                                                        #
diff --git a/docker-compose.yml b/docker-compose.yml
index ef55126..e25f00f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,8 +2,8 @@ version: '3.7'
 
 services:
 
-  # The 'setup' service runs a one-off script which initializes the
-  # 'logstash_internal' and 'kibana_system' users inside Elasticsearch with the
+  # The 'setup' service runs a one-off script which initializes users inside
+  # Elasticsearch — such as 'logstash_internal' and 'kibana_system' — with the
   # values of the passwords defined in the '.env' file.
   #
   # This task is only performed during the *initial* startup of the stack. On all
@@ -25,7 +25,7 @@ services:
       LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
       KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
       BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
-      REMOTE_MONITORING_USER_PASSWORD: ${REMOTE_MONITORING_USER_PASSWORD:-}
+      MONITORING_INTERNAL_PASSWORD: ${MONITORING_INTERNAL_PASSWORD:-}
     networks:
       - elk
     depends_on:
diff --git a/extensions/filebeat/README.md b/extensions/filebeat/README.md
index 43c5d67..4565215 100644
--- a/extensions/filebeat/README.md
+++ b/extensions/filebeat/README.md
@@ -6,6 +6,10 @@ Elasticsearch or Logstash for indexing.
 
 ## Usage
 
+**This extension requires the `beats_system` user to be created and initialized with a password.** In case you haven't
+done that during the initial startup of the stack, please refer to [How to re-execute the setup][setup] to run the setup
+container again and initialize this user.
+
 To include Filebeat in the stack, run Docker Compose from the root of the repository with an additional command line
 argument referencing the `filebeat-compose.yml` file:
 
@@ -34,3 +38,5 @@ container: [Run Filebeat on Docker][filebeat-docker].
 [filebeat-config]: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html
 [filebeat-docker]: https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html
 [filebeat-doc]: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
+
+[setup]: ../../README.md#how-to-re-execute-the-setup
diff --git a/extensions/heartbeat/README.md b/extensions/heartbeat/README.md
index da02f92..c20ff15 100644
--- a/extensions/heartbeat/README.md
+++ b/extensions/heartbeat/README.md
@@ -5,6 +5,10 @@ available.
 
 ## Usage
 
+**This extension requires the `beats_system` user to be created and initialized with a password.** In case you haven't
+done that during the initial startup of the stack, please refer to [How to re-execute the setup][setup] to run the setup
+container again and initialize this user.
+
 To include Heartbeat in the stack, run Docker Compose from the root of the repository with an additional command line
 argument referencing the `heartbeat-compose.yml` file:
 
@@ -33,3 +37,5 @@ Docker container: [Run Heartbeat on Docker][heartbeat-docker].
 [heartbeat-config]: https://www.elastic.co/guide/en/beats/heartbeat/current/heartbeat-reference-yml.html
 [heartbeat-docker]: https://www.elastic.co/guide/en/beats/heartbeat/current/running-on-docker.html
 [heartbeat-doc]: https://www.elastic.co/guide/en/beats/heartbeat/current/index.html
+
+[setup]: ../../README.md#how-to-re-execute-the-setup
diff --git a/extensions/metricbeat/README.md b/extensions/metricbeat/README.md
index 4923e0c..44c6a78 100644
--- a/extensions/metricbeat/README.md
+++ b/extensions/metricbeat/README.md
@@ -6,6 +6,10 @@ and ships them to the output that you specify, such as Elasticsearch or Logstash
 
 ## Usage
 
+**This extension requires the `beats_system` and `monitoring_internal` users to be created and initialized with a
+password.** In case you haven't done that during the initial startup of the stack, please refer to [How to re-execute
+the setup][setup] to run the setup container again and initialize these users.
+
 To include Metricbeat in the stack, run Docker Compose from the root of the repository with an additional command line
 argument referencing the `metricbeat-compose.yml` file:
 
@@ -41,3 +45,5 @@ Docker container: [Run Metricbeat on Docker][metricbeat-docker].
 [metricbeat-config]: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-reference-yml.html
 [metricbeat-docker]: https://www.elastic.co/guide/en/beats/metricbeat/current/running-on-docker.html
 [metricbeat-doc]: https://www.elastic.co/guide/en/beats/metricbeat/current/index.html
+
+[setup]: ../../README.md#how-to-re-execute-the-setup
diff --git a/extensions/metricbeat/config/metricbeat.yml b/extensions/metricbeat/config/metricbeat.yml
index 927774b..32bff39 100644
--- a/extensions/metricbeat/config/metricbeat.yml
+++ b/extensions/metricbeat/config/metricbeat.yml
@@ -18,8 +18,8 @@ metricbeat.autodiscover:
 metricbeat.modules:
 - module: elasticsearch
   hosts: [ http://elasticsearch:9200 ]
-  username: remote_monitoring_user
-  password: ${REMOTE_MONITORING_USER_PASSWORD}
+  username: monitoring_internal
+  password: ${MONITORING_INTERNAL_PASSWORD}
   xpack.enabled: true
   period: 10s
   enabled: true
@@ -30,8 +30,8 @@ metricbeat.modules:
   enabled: true
 - module: kibana
   hosts: [ http://kibana:5601 ]
-  username: remote_monitoring_user
-  password: ${REMOTE_MONITORING_USER_PASSWORD}
+  username: monitoring_internal
+  password: ${MONITORING_INTERNAL_PASSWORD}
   xpack.enabled: true
   period: 10s
   enabled: true
diff --git a/extensions/metricbeat/metricbeat-compose.yml b/extensions/metricbeat/metricbeat-compose.yml
index 80cb88e..58ab3fb 100644
--- a/extensions/metricbeat/metricbeat-compose.yml
+++ b/extensions/metricbeat/metricbeat-compose.yml
@@ -40,7 +40,7 @@ services:
     environment:
       ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
       BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
-      REMOTE_MONITORING_USER_PASSWORD: ${REMOTE_MONITORING_USER_PASSWORD:-}
+      MONITORING_INTERNAL_PASSWORD: ${MONITORING_INTERNAL_PASSWORD:-}
     networks:
       - elk
     depends_on:
diff --git a/setup/entrypoint.sh b/setup/entrypoint.sh
index 68a486f..53b9cca 100755
--- a/setup/entrypoint.sh
+++ b/setup/entrypoint.sh
@@ -12,14 +12,15 @@ source "${BASH_SOURCE[0]%/*}"/helpers.sh
 declare -A users_passwords
 users_passwords=(
 	[logstash_internal]="${LOGSTASH_INTERNAL_PASSWORD:-}"
+	[monitoring_internal]="${MONITORING_INTERNAL_PASSWORD:-}"
 	[kibana_system]="${KIBANA_SYSTEM_PASSWORD:-}"
 	[beats_system]="${BEATS_SYSTEM_PASSWORD=:-}"
-	[remote_monitoring_user]="${REMOTE_MONITORING_USER_PASSWORD:-}"
 )
 
 declare -A users_roles
 users_roles=(
 	[logstash_internal]='logstash_writer'
+	[monitoring_internal]='remote_monitoring_collector'
 )
 
 # --------------------------------------------------------