iac
/
docker-elk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(ext/metricbeat): Further drop perms for monitoring 

The built-in 'remote_monitoring_user' has full permissions on monitoring
indices, which is more than Metricbeat needs to collect metrics from
remote components.
This commit is contained in:
Antoine Cotten 2022-11-18 21:25:10 +01:00
parent e7587965fd
commit 141b38a083
No known key found for this signature in database
GPG Key ID: 94637E68D4A79DD0
9 changed files with 33 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.env
View File

@ -27,8 +27,8 @@ KIBANA_SYSTEM_PASSWORD='changeme'
# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html # https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
BEATS_SYSTEM_PASSWORD='' BEATS_SYSTEM_PASSWORD=''
# User 'remote_monitoring_user' (built-in) # User 'monitoring_internal' (custom)
# #
# The user Metricbeat uses when collecting and storing monitoring information in Elasticsearch. # The user Metricbeat uses to collect monitoring data from stack components.
# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html # https://www.elastic.co/guide/en/elasticsearch/reference/current/how-monitoring-works.html
REMOTE_MONITORING_USER_PASSWORD='' MONITORING_INTERNAL_PASSWORD=''

2
.github/workflows/ci.yml vendored
View File

@ -49,7 +49,7 @@ jobs:
-e 's/\(LOGSTASH_INTERNAL_PASSWORD=\)'\''changeme'\''/\1testpasswd/g' \ -e 's/\(LOGSTASH_INTERNAL_PASSWORD=\)'\''changeme'\''/\1testpasswd/g' \
-e 's/\(KIBANA_SYSTEM_PASSWORD=\)'\''changeme'\''/\1testpasswd/g' \ -e 's/\(KIBANA_SYSTEM_PASSWORD=\)'\''changeme'\''/\1testpasswd/g' \
-e 's/\(BEATS_SYSTEM_PASSWORD=\)'\'\''/\1testpasswd/g' \ -e 's/\(BEATS_SYSTEM_PASSWORD=\)'\'\''/\1testpasswd/g' \
-e 's/\(REMOTE_MONITORING_USER_PASSWORD=\)'\'\''/\1testpasswd/g' .env -e 's/\(MONITORING_INTERNAL_PASSWORD=\)'\'\''/\1testpasswd/g' .env
########################################################## ##########################################################
# # # #

6
docker-compose.yml
View File

@ -2,8 +2,8 @@ version: '3.7'
services: services:
# The 'setup' service runs a one-off script which initializes the # The 'setup' service runs a one-off script which initializes users inside
# 'logstash_internal' and 'kibana_system' users inside Elasticsearch with the # Elasticsearch — such as 'logstash_internal' and 'kibana_system' with the
# values of the passwords defined in the '.env' file. # values of the passwords defined in the '.env' file.
# #
# This task is only performed during the *initial* startup of the stack. On all # This task is only performed during the *initial* startup of the stack. On all
@ -25,7 +25,7 @@ services:
LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-} LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-} KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-} BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
REMOTE_MONITORING_USER_PASSWORD: ${REMOTE_MONITORING_USER_PASSWORD:-} MONITORING_INTERNAL_PASSWORD: ${MONITORING_INTERNAL_PASSWORD:-}
networks: networks:
- elk - elk
depends_on: depends_on:

6
extensions/filebeat/README.md
View File

@ -6,6 +6,10 @@ Elasticsearch or Logstash for indexing.
## Usage ## Usage
**This extension requires the `beats_system` user to be created and initialized with a password.** In case you haven't
done that during the initial startup of the stack, please refer to [How to re-execute the setup][setup] to run the setup
container again and initialize this user.
To include Filebeat in the stack, run Docker Compose from the root of the repository with an additional command line To include Filebeat in the stack, run Docker Compose from the root of the repository with an additional command line
argument referencing the `filebeat-compose.yml` file: argument referencing the `filebeat-compose.yml` file:
@ -34,3 +38,5 @@ container: [Run Filebeat on Docker][filebeat-docker].
[filebeat-config]: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html [filebeat-config]: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html
[filebeat-docker]: https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html [filebeat-docker]: https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html
[filebeat-doc]: https://www.elastic.co/guide/en/beats/filebeat/current/index.html [filebeat-doc]: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
[setup]: ../../README.md#how-to-re-execute-the-setup

6
extensions/heartbeat/README.md
View File

@ -5,6 +5,10 @@ available.
## Usage ## Usage
**This extension requires the `beats_system` user to be created and initialized with a password.** In case you haven't
done that during the initial startup of the stack, please refer to [How to re-execute the setup][setup] to run the setup
container again and initialize this user.
To include Heartbeat in the stack, run Docker Compose from the root of the repository with an additional command line To include Heartbeat in the stack, run Docker Compose from the root of the repository with an additional command line
argument referencing the `heartbeat-compose.yml` file: argument referencing the `heartbeat-compose.yml` file:
@ -33,3 +37,5 @@ Docker container: [Run Heartbeat on Docker][heartbeat-docker].
[heartbeat-config]: https://www.elastic.co/guide/en/beats/heartbeat/current/heartbeat-reference-yml.html [heartbeat-config]: https://www.elastic.co/guide/en/beats/heartbeat/current/heartbeat-reference-yml.html
[heartbeat-docker]: https://www.elastic.co/guide/en/beats/heartbeat/current/running-on-docker.html [heartbeat-docker]: https://www.elastic.co/guide/en/beats/heartbeat/current/running-on-docker.html
[heartbeat-doc]: https://www.elastic.co/guide/en/beats/heartbeat/current/index.html [heartbeat-doc]: https://www.elastic.co/guide/en/beats/heartbeat/current/index.html
[setup]: ../../README.md#how-to-re-execute-the-setup

6
extensions/metricbeat/README.md
View File

@ -6,6 +6,10 @@ and ships them to the output that you specify, such as Elasticsearch or Logstash
## Usage ## Usage
**This extension requires the `beats_system` and `monitoring_internal` users to be created and initialized with a
password.** In case you haven't done that during the initial startup of the stack, please refer to [How to re-execute
the setup][setup] to run the setup container again and initialize these users.
To include Metricbeat in the stack, run Docker Compose from the root of the repository with an additional command line To include Metricbeat in the stack, run Docker Compose from the root of the repository with an additional command line
argument referencing the `metricbeat-compose.yml` file: argument referencing the `metricbeat-compose.yml` file:
@ -41,3 +45,5 @@ Docker container: [Run Metricbeat on Docker][metricbeat-docker].
[metricbeat-config]: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-reference-yml.html [metricbeat-config]: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-reference-yml.html
[metricbeat-docker]: https://www.elastic.co/guide/en/beats/metricbeat/current/running-on-docker.html [metricbeat-docker]: https://www.elastic.co/guide/en/beats/metricbeat/current/running-on-docker.html
[metricbeat-doc]: https://www.elastic.co/guide/en/beats/metricbeat/current/index.html [metricbeat-doc]: https://www.elastic.co/guide/en/beats/metricbeat/current/index.html
[setup]: ../../README.md#how-to-re-execute-the-setup

8
extensions/metricbeat/config/metricbeat.yml
View File

@ -18,8 +18,8 @@ metricbeat.autodiscover:
metricbeat.modules: metricbeat.modules:
- module: elasticsearch - module: elasticsearch
hosts: [ http://elasticsearch:9200 ] hosts: [ http://elasticsearch:9200 ]
username: remote_monitoring_user username: monitoring_internal
password: ${REMOTE_MONITORING_USER_PASSWORD} password: ${MONITORING_INTERNAL_PASSWORD}
xpack.enabled: true xpack.enabled: true
period: 10s period: 10s
enabled: true enabled: true
@ -30,8 +30,8 @@ metricbeat.modules:
enabled: true enabled: true
- module: kibana - module: kibana
hosts: [ http://kibana:5601 ] hosts: [ http://kibana:5601 ]
username: remote_monitoring_user username: monitoring_internal
password: ${REMOTE_MONITORING_USER_PASSWORD} password: ${MONITORING_INTERNAL_PASSWORD}
xpack.enabled: true xpack.enabled: true
period: 10s period: 10s
enabled: true enabled: true

2
extensions/metricbeat/metricbeat-compose.yml
View File

@ -40,7 +40,7 @@ services:
environment: environment:
ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-} ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-} BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
REMOTE_MONITORING_USER_PASSWORD: ${REMOTE_MONITORING_USER_PASSWORD:-} MONITORING_INTERNAL_PASSWORD: ${MONITORING_INTERNAL_PASSWORD:-}
networks: networks:
- elk - elk
depends_on: depends_on:

3
setup/entrypoint.sh
View File

@ -12,14 +12,15 @@ source "${BASH_SOURCE[0]%/*}"/helpers.sh
declare -A users_passwords declare -A users_passwords
users_passwords=( users_passwords=(
[logstash_internal]="${LOGSTASH_INTERNAL_PASSWORD:-}" [logstash_internal]="${LOGSTASH_INTERNAL_PASSWORD:-}"
[monitoring_internal]="${MONITORING_INTERNAL_PASSWORD:-}"
[kibana_system]="${KIBANA_SYSTEM_PASSWORD:-}" [kibana_system]="${KIBANA_SYSTEM_PASSWORD:-}"
[beats_system]="${BEATS_SYSTEM_PASSWORD=:-}" [beats_system]="${BEATS_SYSTEM_PASSWORD=:-}"
[remote_monitoring_user]="${REMOTE_MONITORING_USER_PASSWORD:-}"
) )
declare -A users_roles declare -A users_roles
users_roles=( users_roles=(
[logstash_internal]='logstash_writer' [logstash_internal]='logstash_writer'
[monitoring_internal]='remote_monitoring_collector'
) )
# -------------------------------------------------------- # --------------------------------------------------------