feat(ext/beats): Use unprivileged publish users

2022-11-22 11:22:30 +01:00 · 2022-11-22 11:22:30 +01:00 · 87f5894f65
parent 141b38a083
commit 87f5894f65
16 changed files with 108 additions and 29 deletions
--- a/.env
+++ b/.env
@ -21,14 +21,22 @@ LOGSTASH_INTERNAL_PASSWORD='changeme'
 # https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
 KIBANA_SYSTEM_PASSWORD='changeme'

-# User 'beats_system' (built-in)
+# Users 'metricbeat_internal', 'filebeat_internal' and 'heartbeat_internal' (custom)
 #
-# The user the Beats use when storing monitoring information in Elasticsearch.
-# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
-BEATS_SYSTEM_PASSWORD=''
+# The users Beats use to connect and send data to Elasticsearch.
+# https://www.elastic.co/guide/en/beats/metricbeat/current/feature-roles.html
+METRICBEAT_INTERNAL_PASSWORD=''
+FILEBEAT_INTERNAL_PASSWORD=''
+HEARTBEAT_INTERNAL_PASSWORD=''

 # User 'monitoring_internal' (custom)
 #
 # The user Metricbeat uses to collect monitoring data from stack components.
 # https://www.elastic.co/guide/en/elasticsearch/reference/current/how-monitoring-works.html
 MONITORING_INTERNAL_PASSWORD=''
+
+# User 'beats_system' (built-in)
+#
+# The user the Beats use when storing monitoring information in Elasticsearch.
+# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
+BEATS_SYSTEM_PASSWORD=''
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -48,8 +48,11 @@ jobs:
          sed -i -e 's/\(ELASTIC_PASSWORD=\)'\''changeme'\''/\1testpasswd/g' \
                 -e 's/\(LOGSTASH_INTERNAL_PASSWORD=\)'\''changeme'\''/\1testpasswd/g' \
                 -e 's/\(KIBANA_SYSTEM_PASSWORD=\)'\''changeme'\''/\1testpasswd/g' \
-                 -e 's/\(BEATS_SYSTEM_PASSWORD=\)'\'\''/\1testpasswd/g' \
-                 -e 's/\(MONITORING_INTERNAL_PASSWORD=\)'\'\''/\1testpasswd/g' .env
+                 -e 's/\(METRICBEAT_INTERNAL_PASSWORD=\)'\'\''/\1testpasswd/g' \
+                 -e 's/\(FILEBEAT_INTERNAL_PASSWORD=\)'\'\''/\1testpasswd/g' \
+                 -e 's/\(HEARTBEAT_INTERNAL_PASSWORD=\)'\'\''/\1testpasswd/g' \
+                 -e 's/\(MONITORING_INTERNAL_PASSWORD=\)'\'\''/\1testpasswd/g' \
+                 -e 's/\(BEATS_SYSTEM_PASSWORD=\)'\'\''/\1testpasswd/g' .env

      ##########################################################
      #                                                        #
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -24,8 +24,11 @@ services:
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
      LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
      KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
-      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
+      METRICBEAT_INTERNAL_PASSWORD: ${METRICBEAT_INTERNAL_PASSWORD:-}
+      FILEBEAT_INTERNAL_PASSWORD: ${FILEBEAT_INTERNAL_PASSWORD:-}
+      HEARTBEAT_INTERNAL_PASSWORD: ${HEARTBEAT_INTERNAL_PASSWORD:-}
      MONITORING_INTERNAL_PASSWORD: ${MONITORING_INTERNAL_PASSWORD:-}
+      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
    networks:
      - elk
    depends_on:
--- a/extensions/filebeat/README.md
+++ b/extensions/filebeat/README.md
@ -6,9 +6,9 @@ Elasticsearch or Logstash for indexing.

 ## Usage

-**This extension requires the `beats_system` user to be created and initialized with a password.** In case you haven't
-done that during the initial startup of the stack, please refer to [How to re-execute the setup][setup] to run the setup
-container again and initialize this user.
+**This extension requires the `filebeat_internal` and `beats_system` users to be created and initialized with a
+password.** In case you haven't done that during the initial startup of the stack, please refer to [How to re-execute
+the setup][setup] to run the setup container again and initialize these users.

 To include Filebeat in the stack, run Docker Compose from the root of the repository with an additional command line
 argument referencing the `filebeat-compose.yml` file:
--- a/extensions/filebeat/config/filebeat.yml
+++ b/extensions/filebeat/config/filebeat.yml
@ -27,8 +27,8 @@ monitoring:

 output.elasticsearch:
  hosts: [ http://elasticsearch:9200 ]
-  username: elastic
-  password: ${ELASTIC_PASSWORD}
+  username: filebeat_internal
+  password: ${FILEBEAT_INTERNAL_PASSWORD}

 ## HTTP endpoint for health checking
 ## https://www.elastic.co/guide/en/beats/filebeat/current/http-endpoint.html
--- a/extensions/filebeat/filebeat-compose.yml
+++ b/extensions/filebeat/filebeat-compose.yml
@ -27,7 +27,7 @@ services:
        target: /var/run/docker.sock
        read_only: true
    environment:
-      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
+      FILEBEAT_INTERNAL_PASSWORD: ${FILEBEAT_INTERNAL_PASSWORD:-}
      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
    networks:
      - elk
--- a/extensions/heartbeat/README.md
+++ b/extensions/heartbeat/README.md
@ -5,9 +5,9 @@ available.

 ## Usage

-**This extension requires the `beats_system` user to be created and initialized with a password.** In case you haven't
-done that during the initial startup of the stack, please refer to [How to re-execute the setup][setup] to run the setup
-container again and initialize this user.
+**This extension requires the `heartbeat_internal` and `beats_system` users to be created and initialized with a
+password.** In case you haven't done that during the initial startup of the stack, please refer to [How to re-execute
+the setup][setup] to run the setup container again and initialize these users.

 To include Heartbeat in the stack, run Docker Compose from the root of the repository with an additional command line
 argument referencing the `heartbeat-compose.yml` file:
--- a/extensions/heartbeat/config/heartbeat.yml
+++ b/extensions/heartbeat/config/heartbeat.yml
@ -9,8 +9,8 @@ heartbeat.monitors:
  schedule: '@every 5s'
  urls:
    - http://elasticsearch:9200
-  username: elastic
-  password: ${ELASTIC_PASSWORD}
+  username: heartbeat_internal
+  password: ${HEARTBEAT_INTERNAL_PASSWORD}

 - type: icmp
  schedule: '@every 5s'
@ -28,8 +28,8 @@ monitoring:

 output.elasticsearch:
  hosts: [ http://elasticsearch:9200 ]
-  username: elastic
-  password: ${ELASTIC_PASSWORD}
+  username: heartbeat_internal
+  password: ${HEARTBEAT_INTERNAL_PASSWORD}

 ## HTTP endpoint for health checking
 ## https://www.elastic.co/guide/en/beats/heartbeat/current/http-endpoint.html
--- a/extensions/heartbeat/heartbeat-compose.yml
+++ b/extensions/heartbeat/heartbeat-compose.yml
@ -16,7 +16,7 @@ services:
    volumes:
      - ./extensions/heartbeat/config/heartbeat.yml:/usr/share/heartbeat/heartbeat.yml:ro,Z
    environment:
-      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
+      HEARTBEAT_INTERNAL_PASSWORD: ${HEARTBEAT_INTERNAL_PASSWORD:-}
      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
    networks:
      - elk
--- a/extensions/metricbeat/README.md
+++ b/extensions/metricbeat/README.md
@ -6,9 +6,9 @@ and ships them to the output that you specify, such as Elasticsearch or Logstash

 ## Usage

-**This extension requires the `beats_system` and `monitoring_internal` users to be created and initialized with a
-password.** In case you haven't done that during the initial startup of the stack, please refer to [How to re-execute
-the setup][setup] to run the setup container again and initialize these users.
+**This extension requires the `metricbeat_internal`, `monitoring_internal` and `beats_system` users to be created and
+initialized with a password.** In case you haven't done that during the initial startup of the stack, please refer to
+[How to re-execute the setup][setup] to run the setup container again and initialize these users.

 To include Metricbeat in the stack, run Docker Compose from the root of the repository with an additional command line
 argument referencing the `metricbeat-compose.yml` file:
--- a/extensions/metricbeat/config/metricbeat.yml
+++ b/extensions/metricbeat/config/metricbeat.yml
@ -60,8 +60,8 @@ monitoring:

 output.elasticsearch:
  hosts: [ http://elasticsearch:9200 ]
-  username: elastic
-  password: ${ELASTIC_PASSWORD}
+  username: metricbeat_internal
+  password: ${METRICBEAT_INTERNAL_PASSWORD}

 ## HTTP endpoint for health checking
 ## https://www.elastic.co/guide/en/beats/metricbeat/current/http-endpoint.html
--- a/extensions/metricbeat/metricbeat-compose.yml
+++ b/extensions/metricbeat/metricbeat-compose.yml
@ -38,9 +38,9 @@ services:
        target: /var/run/docker.sock
        read_only: true
    environment:
-      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
-      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
+      METRICBEAT_INTERNAL_PASSWORD: ${METRICBEAT_INTERNAL_PASSWORD:-}
      MONITORING_INTERNAL_PASSWORD: ${MONITORING_INTERNAL_PASSWORD:-}
+      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
    networks:
      - elk
    depends_on:
--- a/setup/entrypoint.sh
+++ b/setup/entrypoint.sh
@ -12,14 +12,20 @@ source "${BASH_SOURCE[0]%/*}"/helpers.sh
 declare -A users_passwords
 users_passwords=(
 	[logstash_internal]="${LOGSTASH_INTERNAL_PASSWORD:-}"
-	[monitoring_internal]="${MONITORING_INTERNAL_PASSWORD:-}"
 	[kibana_system]="${KIBANA_SYSTEM_PASSWORD:-}"
+	[metricbeat_internal]="${METRICBEAT_INTERNAL_PASSWORD:-}"
+	[filebeat_internal]="${FILEBEAT_INTERNAL_PASSWORD:-}"
+	[heartbeat_internal]="${HEARTBEAT_INTERNAL_PASSWORD:-}"
+	[monitoring_internal]="${MONITORING_INTERNAL_PASSWORD:-}"
 	[beats_system]="${BEATS_SYSTEM_PASSWORD=:-}"
 )

 declare -A users_roles
 users_roles=(
 	[logstash_internal]='logstash_writer'
+	[metricbeat_internal]='metricbeat_writer'
+	[filebeat_internal]='filebeat_writer'
+	[heartbeat_internal]='heartbeat_writer'
 	[monitoring_internal]='remote_monitoring_collector'
 )

@ -29,6 +35,9 @@ users_roles=(
 declare -A roles_files
 roles_files=(
 	[logstash_writer]='logstash_writer.json'
+	[metricbeat_writer]='metricbeat_writer.json'
+	[filebeat_writer]='filebeat_writer.json'
+	[heartbeat_writer]='heartbeat_writer.json'
 )

 # --------------------------------------------------------
--- a/setup/roles/filebeat_writer.json
+++ b/setup/roles/filebeat_writer.json
@ -0,0 +1,19 @@
+{
+  "cluster": [
+    "manage_ilm",
+    "manage_index_templates",
+    "monitor",
+    "read_pipeline"
+  ],
+  "indices": [
+    {
+      "names": [
+        "filebeat-*"
+      ],
+      "privileges": [
+        "create_doc",
+        "manage"
+      ]
+    }
+  ]
+}
--- a/setup/roles/heartbeat_writer.json
+++ b/setup/roles/heartbeat_writer.json
@ -0,0 +1,18 @@
+{
+  "cluster": [
+    "manage_ilm",
+    "manage_index_templates",
+    "monitor"
+  ],
+  "indices": [
+    {
+      "names": [
+        "heartbeat-*"
+      ],
+      "privileges": [
+        "create_doc",
+        "manage"
+      ]
+    }
+  ]
+}
--- a/setup/roles/metricbeat_writer.json
+++ b/setup/roles/metricbeat_writer.json
@ -0,0 +1,19 @@
+{
+  "cluster": [
+    "manage_ilm",
+    "manage_index_templates",
+    "monitor"
+  ],
+  "indices": [
+    {
+      "names": [
+        ".monitoring-*-mb",
+        "metricbeat-*"
+      ],
+      "privileges": [
+        "create_doc",
+        "manage"
+      ]
+    }
+  ]
+}