Test and Document required role permissions needed by Gitlab on an Elasticsearch node
Release notes
Advanced Search documentation has been updated to list the minimum security privileges required to integrate with Elasticsearch.
Documentation: https://docs.gitlab.com/ee/integration/advanced_search/elasticsearch.html#elasticsearch-with-role-privileges
Topic to Evaluate
We need to specify what are the minimum permissions needed by Gitlab to integrate with Elasticsearch from the entirety of ES security privileges
We currently don't have any guidelines for customers who are configuring Advanced Search and want to be mindful of security best practices. When providing an Elasticsearch username, we assume it's an administrator and has read/write access but we don't explicitly define what type of user role should be used or what type of cluster and index privileges are required. In my testing it's not required to use the built-in administrator role, but if you are creating an admin-like role to be used for the purposes of supplying it to GitLab for integration it would be useful to know what you should need at minimum.
We should update our documentation to include the required list of security privileges a user must have for proper elasticsearch functionality. We should also consider documenting how to scope your roles to specific indexes for those who are security minded.
Some immediate notes:
-
cluster:monitor
andindex:all
for index patterngitlab-*
-
write
access is requiredto perform all write operations to documents, which includes the permission to index, update, and delete documents as well as performing bulk operations, and allows the dynamic mapping updates as a result of these.
Elasticsearch Documentation:
- https://www.elastic.co/guide/en/elasticsearch/reference/7.17/defining-roles.html
- https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-privileges.html#privileges-list-indices
Slack convo for context:
ZD Ticket:
Tasks to Evaluate
Elasticsearch security privileges.