Skip to content

update kibana_system to grant it access to .chat-* system index #131419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 21, 2025
Merged

update kibana_system to grant it access to .chat-* system index #131419

merged 2 commits into from
Jul 21, 2025
+10 −2

Conversation

pgayvallet
Copy link
Contributor

Fix https://github.com/elastic/search-team/issues/10469

  • Update the Kibana plugin to define the .chat-* external system index pattern
  • Update the kibana_system role descriptor to grant it full access to it

@pgayvallet pgayvallet requested a review from a team as a code owner July 17, 2025 09:04
@pgayvallet pgayvallet added Team:Core/Infra Meta label for core/infra team Team:Search Meta label for search team v9.2.0 labels Jul 17, 2025
@elasticsearchmachine elasticsearchmachine added needs:triage Requires assignment of a team area label external-contributor Pull request authored by a developer outside the Elasticsearch team and removed Team:Core/Infra Meta label for core/infra team Team:Search Meta label for search team labels Jul 17, 2025
@pgayvallet pgayvallet added >non-issue :Core/Infra/Plugins Plugin API and infrastructure Team:Core/Infra Meta label for core/infra team and removed needs:triage Requires assignment of a team area label labels Jul 17, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@azasypkin azasypkin self-requested a review July 21, 2025 11:02
@azasypkin
Copy link
Member

ACK: will review today, sorry for the delay

azasypkin
azasypkin approved these changes Jul 21, 2025
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from the AppEx Security side - having a system, hidden, dot-prefixed index doesn't raise any additional security concerns.

Just one ask - would you mind updating the PR (or linked issue) description to briefly explain what type of data you're planning or envisioning to store in these indices, whether it will contain PII or other sensitive information (anonymized or not), and what they'll be used for (based on the current vision at least)?

modules/kibana/src/main/java/org/elasticsearch/kibana/KibanaPlugin.java
@@ -38,6 +38,13 @@ public class KibanaPlugin extends Plugin implements SystemIndexPlugin {
.setAllowedElasticProductOrigins(KIBANA_PRODUCT_ORIGIN)
.build();

public static final SystemIndexDescriptor ONECHAT_INDEX_DESCRIPTOR = SystemIndexDescriptor.builder()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From related issue:

We should move as soon as we can to using .chat-* instead, to "decouple" it from pure Kibana system indices, and to have our own explicit system index pattern for this project.

Just for my understanding, what is the main motivation behind the need for decoupling?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a strong ask from tech leadership to fully decouple the onechat system indices from Kibana's, to prepare to the eventuality of onechat being more strongly "separated" from Kibana in the future.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, thanks for clarifying.

@pgayvallet pgayvallet merged commit feb0b8f into elastic:main Jul 21, 2025
33 checks passed
szybia added a commit to szybia/elasticsearch that referenced this pull request Jul 22, 2025
@szybia
Merge remote-tracking branch 'upstream/main' into index-pipeline-trac…
190db87 
…king

* upstream/main: (100 commits)
  Term vector API on stateless search nodes (elastic#129902)
  TEST Fix ThreadPoolMergeSchedulerStressTestIT testMergingFallsBehindAndThenCatchesUp (elastic#131636)
  Add inference.put_custom rest-api-spec (elastic#131660)
  ESQL: Fewer serverless docs in tests (elastic#131651)
  Skip search on indices with INDEX_REFRESH_BLOCK (elastic#129132)
  Mute org.elasticsearch.indices.cluster.RemoteSearchForceConnectTimeoutIT testTimeoutSetting elastic#131656
  [jdk] Resolve EA OpenJDK builds to our JDK archive (elastic#131237)
  Add optimized path for intermediate values aggregator (elastic#131390)
  Correctly handling download_database_on_pipeline_creation within a pipeline processor within a default or final pipeline (elastic#131236)
  Refresh potential lost connections at query start for `_search` (elastic#130463)
  Add template_id to patterned-text type (elastic#131401)
  Integrate LIKE/RLIKE LIST with ReplaceStringCasingWithInsensitiveRegexMatch rule (elastic#131531)
  [ES|QL] Add doc for the COMPLETION command (elastic#131010)
  ESQL: Add times to topn status (elastic#131555)
  ESQL: Add asynchronous pre-optimization step for logical plan (elastic#131440)
  ES|QL: Improve generative tests for FORK [130015] (elastic#131206)
  Update index mapping update privileges (elastic#130894)
  ESQL: Added Sample operator NamedWritable to plugin (elastic#131541)
  update `kibana_system` to grant it access to `.chat-*` system index (elastic#131419)
  Clarify heap size configuration (elastic#131607)
  ...
szybia added a commit to szybia/elasticsearch that referenced this pull request Jul 22, 2025
@szybia
Merge remote-tracking branch 'upstream/main' into component-templates…
b8f21b1 
…-tracking

* upstream/main: (44 commits)
  Term vector API on stateless search nodes (elastic#129902)
  TEST Fix ThreadPoolMergeSchedulerStressTestIT testMergingFallsBehindAndThenCatchesUp (elastic#131636)
  Add inference.put_custom rest-api-spec (elastic#131660)
  ESQL: Fewer serverless docs in tests (elastic#131651)
  Skip search on indices with INDEX_REFRESH_BLOCK (elastic#129132)
  Mute org.elasticsearch.indices.cluster.RemoteSearchForceConnectTimeoutIT testTimeoutSetting elastic#131656
  [jdk] Resolve EA OpenJDK builds to our JDK archive (elastic#131237)
  Add optimized path for intermediate values aggregator (elastic#131390)
  Correctly handling download_database_on_pipeline_creation within a pipeline processor within a default or final pipeline (elastic#131236)
  Refresh potential lost connections at query start for `_search` (elastic#130463)
  Add template_id to patterned-text type (elastic#131401)
  Integrate LIKE/RLIKE LIST with ReplaceStringCasingWithInsensitiveRegexMatch rule (elastic#131531)
  [ES|QL] Add doc for the COMPLETION command (elastic#131010)
  ESQL: Add times to topn status (elastic#131555)
  ESQL: Add asynchronous pre-optimization step for logical plan (elastic#131440)
  ES|QL: Improve generative tests for FORK [130015] (elastic#131206)
  Update index mapping update privileges (elastic#130894)
  ESQL: Added Sample operator NamedWritable to plugin (elastic#131541)
  update `kibana_system` to grant it access to `.chat-*` system index (elastic#131419)
  Clarify heap size configuration (elastic#131607)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azasypkin azasypkin azasypkin approved these changes

Assignees
No one assigned
Labels
:Core/Infra/Plugins Plugin API and infrastructure external-contributor Pull request authored by a developer outside the Elasticsearch team >non-issue Team:Core/Infra Meta label for core/infra team v9.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pgayvallet @elasticsearchmachine @azasypkin