feat(ext/metricbeat): Further drop perms for monitoring

The built-in 'remote_monitoring_user' has full permissions on monitoring indices, which is more than Metricbeat needs to collect metrics from remote components.
2022-11-18 21:25:10 +01:00 · 2022-11-18 21:25:10 +01:00 · 141b38a083
parent e7587965fd
commit 141b38a083
9 changed files with 33 additions and 14 deletions
--- a/.env
+++ b/.env
@ -27,8 +27,8 @@ KIBANA_SYSTEM_PASSWORD='changeme'
 # https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
 BEATS_SYSTEM_PASSWORD=''

-# User 'remote_monitoring_user' (built-in)
+# User 'monitoring_internal' (custom)
 #
-# The user Metricbeat uses when collecting and storing monitoring information in Elasticsearch.
-# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
-REMOTE_MONITORING_USER_PASSWORD=''
+# The user Metricbeat uses to collect monitoring data from stack components.
+# https://www.elastic.co/guide/en/elasticsearch/reference/current/how-monitoring-works.html
+MONITORING_INTERNAL_PASSWORD=''
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -49,7 +49,7 @@ jobs:
                 -e 's/\(LOGSTASH_INTERNAL_PASSWORD=\)'\''changeme'\''/\1testpasswd/g' \
                 -e 's/\(KIBANA_SYSTEM_PASSWORD=\)'\''changeme'\''/\1testpasswd/g' \
                 -e 's/\(BEATS_SYSTEM_PASSWORD=\)'\'\''/\1testpasswd/g' \
-                 -e 's/\(REMOTE_MONITORING_USER_PASSWORD=\)'\'\''/\1testpasswd/g' .env
+                 -e 's/\(MONITORING_INTERNAL_PASSWORD=\)'\'\''/\1testpasswd/g' .env

      ##########################################################
      #                                                        #
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -2,8 +2,8 @@ version: '3.7'

 services:

-  # The 'setup' service runs a one-off script which initializes the
-  # 'logstash_internal' and 'kibana_system' users inside Elasticsearch with the
+  # The 'setup' service runs a one-off script which initializes users inside
+  # Elasticsearch — such as 'logstash_internal' and 'kibana_system' — with the
  # values of the passwords defined in the '.env' file.
  #
  # This task is only performed during the *initial* startup of the stack. On all
@ -25,7 +25,7 @@ services:
      LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
      KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
-      REMOTE_MONITORING_USER_PASSWORD: ${REMOTE_MONITORING_USER_PASSWORD:-}
+      MONITORING_INTERNAL_PASSWORD: ${MONITORING_INTERNAL_PASSWORD:-}
    networks:
      - elk
    depends_on:
--- a/extensions/filebeat/README.md
+++ b/extensions/filebeat/README.md
@ -6,6 +6,10 @@ Elasticsearch or Logstash for indexing.

 ## Usage

+**This extension requires the `beats_system` user to be created and initialized with a password.** In case you haven't
+done that during the initial startup of the stack, please refer to [How to re-execute the setup][setup] to run the setup
+container again and initialize this user.
+
 To include Filebeat in the stack, run Docker Compose from the root of the repository with an additional command line
 argument referencing the `filebeat-compose.yml` file:

@ -34,3 +38,5 @@ container: [Run Filebeat on Docker][filebeat-docker].
 [filebeat-config]: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html
 [filebeat-docker]: https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html
 [filebeat-doc]: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
+
+[setup]: ../../README.md#how-to-re-execute-the-setup
--- a/extensions/heartbeat/README.md
+++ b/extensions/heartbeat/README.md
@ -5,6 +5,10 @@ available.

 ## Usage

+**This extension requires the `beats_system` user to be created and initialized with a password.** In case you haven't
+done that during the initial startup of the stack, please refer to [How to re-execute the setup][setup] to run the setup
+container again and initialize this user.
+
 To include Heartbeat in the stack, run Docker Compose from the root of the repository with an additional command line
 argument referencing the `heartbeat-compose.yml` file:

@ -33,3 +37,5 @@ Docker container: [Run Heartbeat on Docker][heartbeat-docker].
 [heartbeat-config]: https://www.elastic.co/guide/en/beats/heartbeat/current/heartbeat-reference-yml.html
 [heartbeat-docker]: https://www.elastic.co/guide/en/beats/heartbeat/current/running-on-docker.html
 [heartbeat-doc]: https://www.elastic.co/guide/en/beats/heartbeat/current/index.html
+
+[setup]: ../../README.md#how-to-re-execute-the-setup
--- a/extensions/metricbeat/README.md
+++ b/extensions/metricbeat/README.md
@ -6,6 +6,10 @@ and ships them to the output that you specify, such as Elasticsearch or Logstash

 ## Usage

+**This extension requires the `beats_system` and `monitoring_internal` users to be created and initialized with a
+password.** In case you haven't done that during the initial startup of the stack, please refer to [How to re-execute
+the setup][setup] to run the setup container again and initialize these users.
+
 To include Metricbeat in the stack, run Docker Compose from the root of the repository with an additional command line
 argument referencing the `metricbeat-compose.yml` file:

@ -41,3 +45,5 @@ Docker container: [Run Metricbeat on Docker][metricbeat-docker].
 [metricbeat-config]: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-reference-yml.html
 [metricbeat-docker]: https://www.elastic.co/guide/en/beats/metricbeat/current/running-on-docker.html
 [metricbeat-doc]: https://www.elastic.co/guide/en/beats/metricbeat/current/index.html
+
+[setup]: ../../README.md#how-to-re-execute-the-setup
--- a/extensions/metricbeat/config/metricbeat.yml
+++ b/extensions/metricbeat/config/metricbeat.yml
@ -18,8 +18,8 @@ metricbeat.autodiscover:
 metricbeat.modules:
 - module: elasticsearch
  hosts: [ http://elasticsearch:9200 ]
-  username: remote_monitoring_user
-  password: ${REMOTE_MONITORING_USER_PASSWORD}
+  username: monitoring_internal
+  password: ${MONITORING_INTERNAL_PASSWORD}
  xpack.enabled: true
  period: 10s
  enabled: true
@ -30,8 +30,8 @@ metricbeat.modules:
  enabled: true
 - module: kibana
  hosts: [ http://kibana:5601 ]
-  username: remote_monitoring_user
-  password: ${REMOTE_MONITORING_USER_PASSWORD}
+  username: monitoring_internal
+  password: ${MONITORING_INTERNAL_PASSWORD}
  xpack.enabled: true
  period: 10s
  enabled: true
--- a/extensions/metricbeat/metricbeat-compose.yml
+++ b/extensions/metricbeat/metricbeat-compose.yml
@ -40,7 +40,7 @@ services:
    environment:
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
-      REMOTE_MONITORING_USER_PASSWORD: ${REMOTE_MONITORING_USER_PASSWORD:-}
+      MONITORING_INTERNAL_PASSWORD: ${MONITORING_INTERNAL_PASSWORD:-}
    networks:
      - elk
    depends_on:
--- a/setup/entrypoint.sh
+++ b/setup/entrypoint.sh
@ -12,14 +12,15 @@ source "${BASH_SOURCE[0]%/*}"/helpers.sh
 declare -A users_passwords
 users_passwords=(
 	[logstash_internal]="${LOGSTASH_INTERNAL_PASSWORD:-}"
+	[monitoring_internal]="${MONITORING_INTERNAL_PASSWORD:-}"
 	[kibana_system]="${KIBANA_SYSTEM_PASSWORD:-}"
 	[beats_system]="${BEATS_SYSTEM_PASSWORD=:-}"
-	[remote_monitoring_user]="${REMOTE_MONITORING_USER_PASSWORD:-}"
 )

 declare -A users_roles
 users_roles=(
 	[logstash_internal]='logstash_writer'
+	[monitoring_internal]='remote_monitoring_collector'
 )

 # --------------------------------------------------------