Skip to content

Commit

Permalink
docs: Document agentcfg privileges (#11742) (#11754)
Browse files Browse the repository at this point in the history
Document the required privileges for agentcfg ES fetcher to work since 8.7.

(cherry picked from commit 11183a9)

Co-authored-by: Carson Ip <[email protected]>
  • Loading branch information
mergify[bot] and carsonip authored Oct 3, 2023
1 parent 2fcbce1 commit 72dfd41
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 7 deletions.
5 changes: 1 addition & 4 deletions docs/configure/agent-config.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,4 @@ rejecting fetch request: no valid elasticsearch config
This occurs because the user or API key set in either `apm-server.agent.config.elasticsearch` or `output.elasticsearch`
(if `apm-server.agent.config.elasticsearch` is not set) does not have adequate permissions to read source maps from {es}.

To fix this error, add the following index-level privileges to the API key:

* `read` privileges on the `.apm-agent-configuration` index
* `allow_restricted_indices: true`
To fix this error, ensure that {beatname_uc} has all the required privileges. See <<privileges-agent-central-config-server>> for more details.
20 changes: 17 additions & 3 deletions docs/feature-roles.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -319,25 +319,39 @@ PUT _security/role/apm_api_key <1>
++++

[[privileges-agent-central-config-server]]
==== APM Server central configuration management
==== APM Server agent central configuration management

APM Server acts as a proxy between your APM agents and the {apm-app}.
The {apm-app} communicates any changed settings to APM Server so that your agents only need to poll the Server
to determine which central configuration settings have changed.

To grant an APM Server user with the required privileges for managing central configuration,
To grant an APM Server user with the required privileges for managing central configuration in {es} without {kib},
assign the user the following privileges:

[options="header"]
|====
|Type | Privilege | Purpose

| Index
|`read` on `.apm-agent-configuration` index
|Allow {beatname_uc} to manage central configurations in {es}
|====

The above privileges should be sufficient for APM agent central configuration to work properly
as long as {beatname_uc} communicates with {es} successfully.
If it fails, it may fallback to read agent central configuration via {kib} if configured,
which requires the following privileges:

[options="header"]
|====
|Type | Privilege | Purpose

| Spaces
|`Read` on {beat_kib_app}
|Allow {beatname_uc} to manage central configurations via the {beat_kib_app}
|====

TIP: Looking for privileges and roles needed use central configuration from the {apm-app} or {apm-app} API?
TIP: Looking for privileges and roles needed to use central configuration from the {apm-app} or {apm-app} API?
See {kibana-ref}/apm-app-central-config-user.html[{apm-app} central configuration user].

////
Expand Down

0 comments on commit 72dfd41

Please sign in to comment.