Privileges to run Kibana rules manually

I've created a dedicated space for one of our development teams where they can create alert rules of type "Elasticsearch query" themselves. Therefore I also set up a role granting permissions for operating on those rules.
However, it's not possible to manually run the rules from the overview page as shown in the screenshots below.

My first guess was that the manual run would create a background task that needed further privileges.
But after some try-&-error where I ended up granting the role all space privileges and all cluster-/index-privileges, I figured out that only granting the superuser role to the test users fixes this issue.
This can definitely not be the proper way. So is this a bug?

Kind regards



Stack version: 8.6.1

This is the newly set up role:

{
  "MY_ROLE": {
    "cluster": [],
    "indices": [],
    "applications": [
      {
        "application": "kibana-.kibana",
        "privileges": [
          "feature_stackAlerts.all",
          "feature_actions.read",
          "feature_discover.all",
          "feature_dashboard.all",
          "feature_visualize.all",
          "feature_apm.all",
          "feature_dev_tools.all",
          "feature_advancedSettings.read",
          "feature_indexPatterns.all",
          "feature_savedObjectsManagement.all"
        ],
        "resources": [
          "space:MY_SPACE"
        ]
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
  }
}

Another, additional role grants the user the following permissions:

{
  "ANOTHER_ROLE": {
    "cluster": [
      "manage_pipeline"
    ],
    "indices": [
      {
        "names": [
          "logs-*"
        ],
        "privileges": [
          "view_index_metadata",
          "read"
        ],
        "allow_restricted_indices": false
      },
      {
        "names": [
          "logs-apm*",
          ".ml-anomalies*",
          "traces-apm*",
          "observability-annotations",
          "metrics-apm*"
        ],
        "privileges": [
          "view_index_metadata",
          "read"
        ],
        "allow_restricted_indices": false
      }
    ],
    
    "run_as": [],
    "metadata": {
      "terraform_managed": true
    },
    "transient_metadata": {
      "enabled": true
    }
  }
}

I believe this is bug [RAM] bug on _run_soon API by XavierM · Pull Request #151218 · elastic/kibana · GitHub . Fixed in versions 8.6.3 and >= 8.7.0

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.