Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[APM] Replace apm_user with stack-wide roles (editor / viewer) #116760

Closed
2 of 3 tasks
sorenlouv opened this issue Oct 29, 2021 · 5 comments · Fixed by #132790
Closed
2 of 3 tasks

[APM] Replace apm_user with stack-wide roles (editor / viewer) #116760

sorenlouv opened this issue Oct 29, 2021 · 5 comments · Fixed by #132790
Labels
apm:test-plan-done Pull request that was successfully tested during the test plan Team:APM All issues that need APM UI Team support v8.0.0 v8.3.0

Comments

@sorenlouv
Copy link
Member

sorenlouv commented Oct 29, 2021
edited
Loading

Currently the APM documentation suggests that apm_user role is used for grant permission to apm ui and apm data.
The stack is slowly moving away from solution specific roles and instead moving towards three stack-wide roles: viewer, editor and superuser.

If possible we should delete the apm_user in 8.0 (it's been marked as deprecated for a while), and ask users to use the stack-wide roles instead.

TODO:
@sorenlouv sorenlouv added [zube]: 8.0 Team:APM All issues that need APM UI Team support v8.0.0 labels Oct 29, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/apm-ui (Team:apm)

@sorenlouv sorenlouv mentioned this issue Nov 8, 2021
Closed
4 tasks
@droberts195 droberts195 mentioned this issue Nov 16, 2021
Open
@bytebilly
Copy link
Contributor

The current deprecation message for the apm_user role says it will be removed in 8.0, but we may want to keep it a bit longer while ensuring that there is a migration path, and avoid breaking changes that are not really necessary.

apm_user currently grants access to Annotations but this is not covered by viewer or editor. This might or might not be an issue for moving to the stack wide roles.

Could you clarify what's missing for viewer? Looking at the role definition, it seems that all indices are covered. I agree we should document this as the easy getting started.

@sorenlouv
Copy link
Member Author

sorenlouv commented Nov 16, 2021
edited
Loading

Could you clarify what's missing for viewer? Looking at the role definition, it seems that all indices are covered. I agree we should document this as the easy getting started.

I've updated the description to now only mention the editor role. The problem with this role is that it doesn't have the ​create_index permission needed for the annotations feature (pull request for fixing that here: elastic/elasticsearch#77429)

@bytebilly
Copy link
Contributor

Uhm, I'm not sure to fully get it. While I understand that viewer and editor cannot create the observability-annotation index, I also see that the apm_user role is unable to do so. Could you confirm that? Which is the role that creates the observability-annotation index?

@sorenlouv sorenlouv mentioned this issue Dec 7, 2021
Closed
@sorenlouv sorenlouv mentioned this issue May 24, 2022
Merged
@zube zube bot added [zube]: Done and removed [zube]: 8.0 labels May 25, 2022
@sorenlouv sorenlouv mentioned this issue May 31, 2022
Closed
@sorenlouv sorenlouv added the apm:test-plan-done Pull request that was successfully tested during the test plan label Jun 13, 2022
@sorenlouv
Copy link
Member Author

sorenlouv commented Jun 13, 2022
edited
Loading

I created #134294 and https://github.com/elastic/observability-test-environments/issues/2333 as a follow-ups. elastic/elasticsearch#87233 is still open but aiming to get it resolved this week.

@sorenlouv sorenlouv mentioned this issue Jun 14, 2022
Merged
@zube zube bot removed the [zube]: Done label Aug 24, 2022
pugnascotia pushed a commit to elastic/elasticsearch that referenced this issue Jul 5, 2023
@sorenlouv
Mark apm_user for removal in "a future version" (#87674)
ed451a7 
Meta issue: elastic/kibana#116760

The `apm_user` role was marked as deprecated in 7.13 and was supposed to be removed in 8.0 but it
didn't happen. Now we are aiming to remove the role in 9.0 and are updating the deprecation message.

All mentions of `apm_user` role have been removed from docs and in-product mentions
in elastic/kibana#132790.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
apm:test-plan-done Pull request that was successfully tested during the test plan Team:APM All issues that need APM UI Team support v8.0.0 v8.3.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[APM] Remove mentions of apm_user elastic/kibana
4 participants
@dannycroft @sorenlouv @elasticmachine @bytebilly