Skip to content

Add Elasticsearch privileges required for Advanced Search

What does this MR do and why?

Related to #275993 (closed)

Adds documentation describing the minimum privileges required to integrate with Elasticsearch for the Advanced Search feature.

Screenshots or screen recordings

N/A

How to set up and validate locally

I validated this locally by changing a few things in my gdk setup.

  1. setup gdk for Elasticsearch
  2. open the elasticsearch config yml in the gdk folder: <gdk_folder>/elasticsearch/config/elasticsearch.yml
  3. turn security on (set to false by default):
xpack.security.enabled: true
  1. restart elasticsearch service:
gdk restart elasticsearch
  1. verify you can no longer connect to Elasticsearch unauthenticated:
curl localhost:9200

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","ApiKey"]}},"status":401}%
  1. you will need access to the built in elastic user to do the rest of the steps (adding users for Elasticsearch)
  2. set the initial passwords using this script in the main gdk folder: <gdk_folder>/elasticsearch/bin/elasticsearch-setup-passwords auto
  3. note the password for the elastic user, all future calls to Elasticsearch in this steps will need to be made with it:
ELASTIC_URL = http://elastic:WHATEVER-THE-PASSWORD-WAS@localhost:9200`
  1. create a new Elasticsearch user POST ELASTIC_URL/_security/user/gitlab_user
{
  "enabled": true,
  "password": "SOME-PASSWORD",
  "roles": []
}
  1. create role POST ELASTIC_URL/_security/role/gitlab_role
{
  "cluster": ["monitor"],
  "indices": [ 
    {
      "names": ["gitlab-*"],
      "privileges": [
			"create_index",
			"delete_index",
			"view_index_metadata",
			"read",
			"manage",
			"write"
	]
     }
   ]
}
  1. create role mapping POST ELASTIC_URL/_security/role_mapping/gitlab_role_mapping
{
	"enabled": true,
	"roles": ["gitlab_role", "index"],
	"rules": {
		"field": { "username": "gitlab_user" }
	}
}
  1. add role to user PUT ELASTIC_URL/_security/user/gitlab_user
{
	"enabled": true,
	"password": "SOME-PASSWORD",
	"roles": ["gitlab_role"]
}
  1. verify the new user can connect to Elasticsearch:
curl http://gitlab_user:SOME-PASSWORD@localhost:9200

{
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "HI-0fXphRAeKXbhapt1UpA",
  "version" : {
    "number" : "8.5.3",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "4ed5ee9afac63de92ec98f404ccbed7d3ba9584e",
    "build_date" : "2022-12-05T18:22:22.226119656Z",
    "build_snapshot" : false,
    "lucene_version" : "9.4.2",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}
  1. change the url in Advanced Search Admin UI settings to the URL including the username/password of the user you just created
  2. run through all steps in this snippet to test out the features of Advanced Search

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Terri Chu

Merge request reports

Loading