[8.x] [Observability Onboarding] Fix EDOT collector permissions (#197248

) (#197299)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Observability Onboarding] Fix EDOT collector permissions
(#197248)](#197248)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Thom
Heymann","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-22T16:03:41Z","message":"[Observability
Onboarding] Fix EDOT collector permissions (#197248)\n\n##
Summary\r\n\r\nFix EDOT collector permissions.\r\n\r\n##
Details\r\n\r\nAdds `traces-*-*` index privilege and removed unnecessary
`apm`\r\napplication privileges:\r\n\r\n```json\r\n{\r\n
\"standalone_agent\": {\r\n \"cluster\": [\r\n \"monitor\"\r\n ],\r\n
\"indices\": [\r\n {\r\n \"names\": [\r\n \"logs-*-*\",\r\n
\"metrics-*-*\",\r\n \"traces-*-*\"\r\n ],\r\n \"privileges\": [\r\n
\"auto_configure\",\r\n \"create_doc\"\r\n ],\r\n
\"allow_restricted_indices\": false\r\n }\r\n ],\r\n \"applications\":
[]\r\n
}\r\n}\r\n```","sha":"e1c4a604e1b66dfd7348cd28a451313c44c996df","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","backport:prev-minor","ci:project-deploy-observability","v8.16.0"],"title":"[Observability
Onboarding] Fix EDOT collector
permissions","number":197248,"url":"https://github.com/elastic/kibana/pull/197248","mergeCommit":{"message":"[Observability
Onboarding] Fix EDOT collector permissions (#197248)\n\n##
Summary\r\n\r\nFix EDOT collector permissions.\r\n\r\n##
Details\r\n\r\nAdds `traces-*-*` index privilege and removed unnecessary
`apm`\r\napplication privileges:\r\n\r\n```json\r\n{\r\n
\"standalone_agent\": {\r\n \"cluster\": [\r\n \"monitor\"\r\n ],\r\n
\"indices\": [\r\n {\r\n \"names\": [\r\n \"logs-*-*\",\r\n
\"metrics-*-*\",\r\n \"traces-*-*\"\r\n ],\r\n \"privileges\": [\r\n
\"auto_configure\",\r\n \"create_doc\"\r\n ],\r\n
\"allow_restricted_indices\": false\r\n }\r\n ],\r\n \"applications\":
[]\r\n
}\r\n}\r\n```","sha":"e1c4a604e1b66dfd7348cd28a451313c44c996df"}},"sourceBranch":"main","suggestedTargetBranches":["8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/197248","number":197248,"mergeCommit":{"message":"[Observability
Onboarding] Fix EDOT collector permissions (#197248)\n\n##
Summary\r\n\r\nFix EDOT collector permissions.\r\n\r\n##
Details\r\n\r\nAdds `traces-*-*` index privilege and removed unnecessary
`apm`\r\napplication privileges:\r\n\r\n```json\r\n{\r\n
\"standalone_agent\": {\r\n \"cluster\": [\r\n \"monitor\"\r\n ],\r\n
\"indices\": [\r\n {\r\n \"names\": [\r\n \"logs-*-*\",\r\n
\"metrics-*-*\",\r\n \"traces-*-*\"\r\n ],\r\n \"privileges\": [\r\n
\"auto_configure\",\r\n \"create_doc\"\r\n ],\r\n
\"allow_restricted_indices\": false\r\n }\r\n ],\r\n \"applications\":
[]\r\n
}\r\n}\r\n```","sha":"e1c4a604e1b66dfd7348cd28a451313c44c996df"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Thom Heymann <[email protected]>

x-pack/plugins/observability_solution/observability_onboarding/server/lib/api_key/create_shipper_api_key.ts

@@ -6,7 +6,11 @@
  */
 
 import { ElasticsearchClient } from '@kbn/core/server';
-import { MONITOR_CLUSTER, INDEX_LOGS_AND_METRICS, WRITE_APM_EVENTS } from './privileges';
+import {
+  MONITOR_CLUSTER,
+  INDEX_LOGS_AND_METRICS,
+  INDEX_LOGS_METRICS_AND_TRACES,
+} from './privileges';
 
 export function createShipperApiKey(esClient: ElasticsearchClient, name: string, withAPM = false) {
   // Based on https://www.elastic.co/guide/en/fleet/master/grant-access-to-elasticsearch.html#create-api-key-standalone-agent
@@ -20,8 +24,7 @@ export function createShipperApiKey(esClient: ElasticsearchClient, name: string,
       role_descriptors: {
         standalone_agent: {
           cluster: [MONITOR_CLUSTER],
-          indices: [INDEX_LOGS_AND_METRICS],
-          applications: withAPM ? [WRITE_APM_EVENTS] : undefined,
+          indices: [withAPM ? INDEX_LOGS_METRICS_AND_TRACES : INDEX_LOGS_AND_METRICS],
         },
       },
     },

x-pack/plugins/observability_solution/observability_onboarding/server/lib/api_key/has_log_monitoring_privileges.ts

@@ -6,14 +6,17 @@
  */
 
 import { ElasticsearchClient } from '@kbn/core/server';
-import { MONITOR_CLUSTER, INDEX_LOGS_AND_METRICS, WRITE_APM_EVENTS } from './privileges';
+import {
+  MONITOR_CLUSTER,
+  INDEX_LOGS_AND_METRICS,
+  INDEX_LOGS_METRICS_AND_TRACES,
+} from './privileges';
 
 export async function hasLogMonitoringPrivileges(esClient: ElasticsearchClient, withAPM = false) {
   const res = await esClient.security.hasPrivileges({
     body: {
       cluster: [MONITOR_CLUSTER, 'manage_own_api_key'],
-      index: [INDEX_LOGS_AND_METRICS],
-      application: withAPM ? [WRITE_APM_EVENTS] : undefined,
+      index: [withAPM ? INDEX_LOGS_METRICS_AND_TRACES : INDEX_LOGS_AND_METRICS],
     },
   });
 

x-pack/plugins/observability_solution/observability_onboarding/server/lib/api_key/privileges.ts

@@ -18,9 +18,8 @@ export const INDEX_LOGS_AND_METRICS: estypes.SecurityIndicesPrivileges = {
   privileges: ['auto_configure', 'create_doc'],
 };
 
-// https://www.elastic.co/guide/en/observability/master/apm-api-key.html#apm-create-api-key-workflow-es
-export const WRITE_APM_EVENTS: estypes.SecurityApplicationPrivileges = {
-  application: 'apm',
-  privileges: ['event:write', 'config_agent:read'],
-  resources: ['*'],
+// https://www.elastic.co/guide/en/fleet/master/grant-access-to-elasticsearch.html#create-api-key-standalone-agent
+export const INDEX_LOGS_METRICS_AND_TRACES: estypes.SecurityIndicesPrivileges = {
+  names: ['logs-*-*', 'metrics-*-*', 'traces-*-*'],
+  privileges: ['auto_configure', 'create_doc'],
 };