Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APM Server monitoring using apm_system role fails #2708

Closed
axw opened this issue Sep 13, 2019 · 8 comments
Closed

APM Server monitoring using apm_system role fails #2708

axw opened this issue Sep 13, 2019 · 8 comments
Assignees
@simitt
Labels
bug test-plan test-plan-ok v7.6.0
Milestone
7.6

Comments

@axw
Copy link
Member

axw commented Sep 13, 2019

Describe the bug

The Monitoring APM Server section in the docs describes how to configure the server to send monitoring data to Elasticsearch, and recommends using the built-in apm_system user/role.

In 7.2 this fails with an error in the logs like this:

Failed to publish events: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/write/bulk] is unauthorized for user [apm_system]"}],"type":"security_exception","reason":"action [indices:data/write/bulk] is unauthorized for user [apm_system]"},"status":403}

To Reproduce
Steps to reproduce the behavior:

  1. Create a 7.2 stack with security enabled. Set a password for the apm_system user
  2. Configure apm-server.yml according to https://www.elastic.co/guide/en/apm/server/7.2/monitoring.html, using the password from step 1.
  3. Start the APM Server
  4. Check the logs, see there's an error

Expected behavior

Monitoring should work using the apm_system user/role.
@axw
Copy link
Member Author

axw commented Sep 13, 2019

This appears to be a regression in 7.2, relating to changes in the underlying Beats infrastructure.

The apm_system role has the same cluster-level privileges as beats_system, but the latter has some additional index-level privileges. These were added to beats_system in elastic/elasticsearch#40876; apm_system should presumably have been updated at the same time.

@simitt simitt added the bug label Sep 16, 2019
@graphaelli graphaelli added this to the 7.6 milestone Sep 19, 2019
@cachedout cachedout mentioned this issue Sep 30, 2019
Closed
@cachedout
Copy link
Contributor

I have opened elastic/elasticsearch#47302 to start work on this issue.

@simitt simitt mentioned this issue Oct 4, 2019
Closed
@cachedout cachedout mentioned this issue Oct 7, 2019
Merged
@simitt
Copy link
Contributor

simitt commented Nov 28, 2019

@cachedout can you confirm this issue was fixed with elastic/elasticsearch#47302 (comment)?

@cachedout
Copy link
Contributor

@simitt I am still waiting for reviews on this: elastic/elasticsearch#47668

@cachedout
Copy link
Contributor

Hi again @simitt and @axw.

I have merged elastic/elasticsearch#47668 into master in Elasticsearch.

Backports have been opened to 7.5 and 7.x. Please let me know if you have any concerns. Thanks!

@simitt
Copy link
Contributor

simitt commented Dec 9, 2019

LGTM

@axw
Copy link
Member Author

axw commented Dec 13, 2019

Backports are all done, so closing this out. Thanks @cachedout!

@axw axw closed this as completed Dec 13, 2019
@axw axw mentioned this issue Jan 7, 2020
Merged
@simitt simitt self-assigned this Jan 22, 2020
@simitt
Copy link
Contributor

simitt commented Jan 23, 2020

Tested with apm_system user by enabling xpack security in Elasticsearch and following the steps in the APM Server docs:

monitoring:
  enabled: true
  elasticsearch:
    username: apm_system
    password: somepassword

Kibana Monitoring UI:
Screenshot 2020-01-23 at 13 41 30

Using built in apm_system user works as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simitt simitt

Labels
bug test-plan test-plan-ok v7.6.0
Projects
None yet
Milestone
7.6
Development

No branches or pull requests
5 participants
@graphaelli @cachedout @axw @mdelapenya @simitt