Skip to content

[ExtraHop][Qualys GAV] - Fix Cannot execute ILM policy delete step #132387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[ExtraHop][Qualys GAV] - Fix Cannot execute ILM policy delete step #132387

wants to merge 2 commits into from

Conversation

ShourieG
Copy link
Contributor

@ShourieG ShourieG commented Aug 4, 2025
edited
Loading

This PR focuses on the short term solution which add the logs-extrahop.investigation-* and logs-qualys_gav.asset-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PRs.

Current behavior:

  • It shows permission issue while deleting the index

For Qualys GAV:

{
  "failed_step": "delete",
  "step_info": {
    "type": "security_exception",
    "reason": "action [indices:admin/delete] is unauthorized for user [found-internal-kibana4-server] with effective roles [found-internal-kibana4-server,kibana_system] on indices [.ds-logs-qualys_gav.asset-default-2025.07.24-000001], this action is granted by the index privileges [delete_index,manage,all]"
  }
}

For ExtraHop:

{
  "failed_step": "delete",
  "step_info": {
    "type": "security_exception",
    "reason": "action [indices:admin/delete] is unauthorized for user [found-internal-kibana4-server] with effective roles [found-internal-kibana4-server, kibana_system] on indices [.ds-logs-extrahop.investigation-default-2025.07.23-000001], this action is granted by the index privileges [delete_index, manage, all]"
  }
}

Closes - #131825
Similar Issues : elastic/kibana#197390, #116982

@ShourieG ShourieG self-assigned this Aug 4, 2025
@ShourieG ShourieG added the >bug label Aug 4, 2025
@ShourieG ShourieG requested a review from a team as a code owner August 4, 2025 09:59
@ShourieG ShourieG added the Team:Cloud Security Meta label for Cloud Security team label Aug 4, 2025
@elasticsearchmachine elasticsearchmachine added v9.2.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Aug 4, 2025
@ShourieG ShourieG added v8.18.0 :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC and removed external-contributor Pull request authored by a developer outside the Elasticsearch team v9.2.0 labels Aug 4, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Aug 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ShourieG ShourieG

Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Cloud Security Meta label for Cloud Security team Team:Security Meta label for security team v8.18.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ShourieG @elasticsearchmachine