This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Data RBAC - not working for v1alpha chronicle API

Posted on 02-14-2025 03:35 AM
akingscote
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

There are two endpoints for log ingestion into SecOps:

  • europe-malachiteingestion-pa.googleapis.com

  • chronicle.googleapis.com

Whether using the APIs directly, or via the bindplane agent, we can get successfully logs into our SecOps instance.

The "legacy" Malachite API works perfectly. The logs, labels, and base_labels are added, meaning Data RBAC works as expected.

metadata.base_labels.allow_scoped_access = true
metadata.base_labels.ingestion_kv_labels[0].key = "attempt_id"
metadata.base_labels.ingestion_kv_labels[0].value = "597901e6cbfb490e8903fb660da2b4e0"
metadata.ingestion_labels[0].key = "attempt_id"
metadata.ingestion_labels[0].value = "597901e6cbfb490e8903fb660da2b4e0"

The v1alpha, chronicle API allows our logs to be ingested. The ingestion labels are visible in SecOps, but the base_labels are not added to the metadata. Data RBAC does not work.

metadata.ingestion_labels.rbac_enabled = true
metadata.ingestion_labels[0].key = "attempt_id"
metadata.ingestion_labels[0].value = "597901e6cbfb490e8903fb660da2b4e0"

We have scratched our heads with this for a while, and suspect it is a bug. Similar (recent) posts in the community also seem to support this.

We want to use the v1alpha API for DataRBAC. The logs seem to be missing base_labels which seem to be stopping Data RBAC from working.

@cmmartin_google Any ideas? In one of your blogs, mention ingestion labels , do you know if this is a bug, or if we are doing something wrong? Cheers

Solved Solved
0 3 916
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
JeremyLand
Staff
Reply posted on --/--/---- --:-- AM

@akingscote This is a bug, engineering is aware of it but please submit a support case.  This allows us to prioritize properly and will get you notifications for when the issue is resolved.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
JeremyLand
Staff
Reply posted on --/--/---- --:-- AM

@akingscote This is a bug, engineering is aware of it but please submit a support case.  This allows us to prioritize properly and will get you notifications for when the issue is resolved.

Jump to Solution

Posted on --/--/---- --:-- AM
akingscote
Bronze 3
Bronze 3
In response to JeremyLand
Reply posted on --/--/---- --:-- AM

Cheers Jeremy, we have submitted a ticket with our reseller, who hopefully will pass any information on.

Here is some more information that might help:

  • When using the Bindplane agent to send logs via gRPC, the necessary fields are populated, and Data RBAC works.
  • According to the Bindplane documentation (source), gRPC selects the legacy API (europe-malachiteingestion-pa.googleapis.com).
  • When switching to the HTTPS API, which selects the DataPlane API, the required labels (metadata.base_labels.ingestion_kv_labels) are missing, causing Data RBAC to fail.

We are able to manually ingest data via HTTPS with the Ingestion API, but the data labels do not appear in metadata.base_labels.ingestion_kv_labels, meaning Data RBAC does not work.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
akingscote
Bronze 3
Bronze 3
In response to akingscote
Reply posted on --/--/---- --:-- AM

Apparently a fix is planned for Q2 🙃

Jump to Solution
0 Likes
Top Solution Authors
View all