Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.8] docs: Document agentcfg privileges (backport #11742) #11752

Merged
merged 1 commit into from
Oct 3, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 1 addition & 4 deletions docs/configure/agent-config.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,4 @@ rejecting fetch request: no valid elasticsearch config
This occurs because the user or API key set in either `apm-server.agent.config.elasticsearch` or `output.elasticsearch`
(if `apm-server.agent.config.elasticsearch` is not set) does not have adequate permissions to read source maps from {es}.

To fix this error, add the following index-level privileges to the API key:

* `read` privileges on the `.apm-agent-configuration` index
* `allow_restricted_indices: true`
To fix this error, ensure that {beatname_uc} has all the required privileges. See <<privileges-agent-central-config-server>> for more details.
20 changes: 17 additions & 3 deletions docs/feature-roles.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -319,25 +319,39 @@ PUT _security/role/apm_api_key <1>
++++

[[privileges-agent-central-config-server]]
==== APM Server central configuration management
==== APM Server agent central configuration management

APM Server acts as a proxy between your APM agents and the {apm-app}.
The {apm-app} communicates any changed settings to APM Server so that your agents only need to poll the Server
to determine which central configuration settings have changed.

To grant an APM Server user with the required privileges for managing central configuration,
To grant an APM Server user with the required privileges for managing central configuration in {es} without {kib},
assign the user the following privileges:

[options="header"]
|====
|Type | Privilege | Purpose

| Index
|`read` on `.apm-agent-configuration` index
|Allow {beatname_uc} to manage central configurations in {es}
|====

The above privileges should be sufficient for APM agent central configuration to work properly
as long as {beatname_uc} communicates with {es} successfully.
If it fails, it may fallback to read agent central configuration via {kib} if configured,
which requires the following privileges:

[options="header"]
|====
|Type | Privilege | Purpose

| Spaces
|`Read` on {beat_kib_app}
|Allow {beatname_uc} to manage central configurations via the {beat_kib_app}
|====

TIP: Looking for privileges and roles needed use central configuration from the {apm-app} or {apm-app} API?
TIP: Looking for privileges and roles needed to use central configuration from the {apm-app} or {apm-app} API?
See {kibana-ref}/apm-app-central-config-user.html[{apm-app} central configuration user].

////
Expand Down