Jaeger: Document the required permissions for Elasticsearch

Here's an example role definition JSON for what worked for us.

{
  "jaeger" : {
    "cluster" : [
      "monitor"
    ],
    "indices" : [
      {
        "names" : [
          "jaeger-*"
        ],
        "privileges" : [
          "create",
          "create_index",
          "write",
          "read"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

The cluster level "monitor" right was what took quite a bit to figure out.

I'm happy to update the documentation files and send in a PR if it's helpful. Thanks!

@yardbirdsax thanks for posting the example.

@pavolloffay I am not that familiar with administering ES. Would a file like this make sense as part of documentation, or in the code, next to our other ES tools?

+1 on documenting these

@yardbirdsax what plugin is this configuration for?

@yardbirdsax or @jaegertracing/elasticsearch do you know where are the Elasticsearch permissions documented? The latests dosc I found are for 2.2 https://www.elastic.co/guide/en/shield/2.2/privileges-list.html

Here is an example of SearchGuard for Jaeger https://github.com/openshift/origin-aggregated-logging/blob/master/elasticsearch/sgconfig/sg_roles.yml#L56, There will be a change to add cluster role MANAGE because of #1627

Permissions for Elasticsearch will rely on which permission plugin is used (if any - it's an optional thing). I'm guessing @yardbirdsax 's example is for the regular x-pack plugin, but there are tons of others in the ecosystem so it should probably be clearly documented which permission system the example config targets.

You’re correct that my example was for x-pack. Here’s a link with relevant information:

https://www.elastic.co/guide/en/elastic-stack-overview/7.2/security-privileges.html

@pavolloffay re the “manage” privilege: it looks like this is for index templates? As someone in an organization with strict security requirements, justifying giving the account this privilege when it (I think?) would only need it once to install the template would be a little tricky. Perhaps it should only attempt this when a flag is set, and manual steps to install the template once by an admin should be provided? Or at least fail gracefully and carry on if it doesn’t have that right? I haven’t dug into the change in detail, so apologies if it already does this. I can also comment on that issue too, depending on what you say here.

@yardbirdsax you brought a valid point that somebody might not want to add manage privilege for jaeger.

We could introduce a flag which would disable template creation. In that case it would be user responsibility to create the mappings manually before jaeger startup. The mappings are available here https://github.com/jaegertracing/jaeger/tree/master/plugin/storage/es/mappings so they are easily consumable.

Cluser permission manage_index_templates is required. Works for me:

POST /_security/role/jaeger
{
    "cluster" : [
      "monitor",
      "manage_index_templates"
    ],
    "indices" : [
      {
        "names" : [
          "jaeger-*"
        ],
        "privileges" : [
          "create",
          "create_index",
          "write",
          "read"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }