From 11183a91ac14e5d445af26992c37e6145f5a8a38 Mon Sep 17 00:00:00 2001 From: Carson Ip Date: Tue, 3 Oct 2023 16:27:11 +0800 Subject: [PATCH] docs: Document agentcfg privileges (#11742) Document the required privileges for agentcfg ES fetcher to work since 8.7. --- docs/configure/agent-config.asciidoc | 5 +---- docs/feature-roles.asciidoc | 20 +++++++++++++++++--- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/docs/configure/agent-config.asciidoc b/docs/configure/agent-config.asciidoc index 566aaa6a4a8..6261a389827 100644 --- a/docs/configure/agent-config.asciidoc +++ b/docs/configure/agent-config.asciidoc @@ -71,7 +71,4 @@ rejecting fetch request: no valid elasticsearch config This occurs because the user or API key set in either `apm-server.agent.config.elasticsearch` or `output.elasticsearch` (if `apm-server.agent.config.elasticsearch` is not set) does not have adequate permissions to read source maps from {es}. -To fix this error, add the following index-level privileges to the API key: - -* `read` privileges on the `.apm-agent-configuration` index -* `allow_restricted_indices: true` +To fix this error, ensure that {beatname_uc} has all the required privileges. See <> for more details. diff --git a/docs/feature-roles.asciidoc b/docs/feature-roles.asciidoc index 8b60c1abdb0..65a801ce8b2 100644 --- a/docs/feature-roles.asciidoc +++ b/docs/feature-roles.asciidoc @@ -319,25 +319,39 @@ PUT _security/role/apm_api_key <1> ++++ [[privileges-agent-central-config-server]] -==== APM Server central configuration management +==== APM Server agent central configuration management APM Server acts as a proxy between your APM agents and the {apm-app}. The {apm-app} communicates any changed settings to APM Server so that your agents only need to poll the Server to determine which central configuration settings have changed. -To grant an APM Server user with the required privileges for managing central configuration, +To grant an APM Server user with the required privileges for managing central configuration in {es} without {kib}, assign the user the following privileges: [options="header"] |==== |Type | Privilege | Purpose +| Index +|`read` on `.apm-agent-configuration` index +|Allow {beatname_uc} to manage central configurations in {es} +|==== + +The above privileges should be sufficient for APM agent central configuration to work properly +as long as {beatname_uc} communicates with {es} successfully. +If it fails, it may fallback to read agent central configuration via {kib} if configured, +which requires the following privileges: + +[options="header"] +|==== +|Type | Privilege | Purpose + | Spaces |`Read` on {beat_kib_app} |Allow {beatname_uc} to manage central configurations via the {beat_kib_app} |==== -TIP: Looking for privileges and roles needed use central configuration from the {apm-app} or {apm-app} API? +TIP: Looking for privileges and roles needed to use central configuration from the {apm-app} or {apm-app} API? See {kibana-ref}/apm-app-central-config-user.html[{apm-app} central configuration user]. ////