Granting kibana_system reserved role access to "all" privileges to .adhoc.alerts* and .internal.adhoc.alerts* indices (#127321)

* Granting `kibana_system` reserved role access to "all" privileges to `.adhoc.alerts*` and `.internal.adhoc.alerts*` indices * Update docs/changelog/127321.yaml * [CI] Auto commit changes from spotless * Replace `"all"` with the specific privileges for the `kibana_system` role * Fix tests * Fix CI * Updated privileges * Updated privileges Add `"maintenance"` to allow `refresh=true` option on bulk API call. * Remove redundant code --------- Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
2025-06-28 09:28:55 -04:00 · 2025-06-03 15:37:52 +02:00 · 2025-06-03 15:37:52 +02:00 · 550cddf5ee
commit 550cddf5ee
parent 38fb46d366
4 changed files with 60 additions and 2 deletions
--- a/docs/changelog/127321.yaml
+++ b/docs/changelog/127321.yaml
@ -0,0 +1,6 @@
+pr: 127321
+summary: Granting `kibana_system` reserved role access to "all" privileges to `.adhoc.alerts*`
+  and `.internal.adhoc.alerts*` indices
+area: Authorization
+type: enhancement
+issues: []
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
@ -265,6 +265,23 @@ class KibanaOwnedReservedRoleDescriptors {
                RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTS_INDEX_ALIAS).privileges("all").build(),
                // "Alerts as data" public index alias used in Security Solution
                // Kibana system user uses them to read / write alerts.
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices(ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX, ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS)
+                    .privileges(
+                        "create_index",
+                        "read",
+                        "write",
+                        "view_index_metadata",
+                        "maintenance",
+                        RolloverAction.NAME,
+                        TransportIndicesAliasesAction.NAME,
+                        TransportPutMappingAction.TYPE.name(),
+                        TransportAutoPutMappingAction.TYPE.name(),
+                        TransportUpdateSettingsAction.TYPE.name()
+                    )
+                    .build(),
+                // "Alerts as data" public index alias used in Security Solution
+                // Kibana system user uses them to read / write alerts.
                RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS).privileges("all").build(),
                // "Alerts as data" internal backing indices used in Security Solution
                // Kibana system user creates these indices; reads / writes to them via the
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@ -59,6 +59,10 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
    public static final String PREVIEW_ALERTS_BACKING_INDEX = ".internal.preview.alerts*";
    public static final String PREVIEW_ALERTS_BACKING_INDEX_REINDEXED = ".reindexed-v8-internal.preview.alerts*";

+    /** "Attack Discovery" ad-hoc alerts index */
+    public static final String ADHOC_ALERTS_INDEX_ALIAS = ".adhoc.alerts*";
+    public static final String ADHOC_ALERTS_BACKING_INDEX = ".internal.adhoc.alerts*";
+
    /** "Security Solutions" only lists index for value lists for detections */
    public static final String LISTS_INDEX = ".lists-*";
    public static final String LISTS_INDEX_REINDEXED_V8 = ".reindexed-v8-lists-*";
@ -782,7 +786,11 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
                    .build(),
                // Alerts-as-data
                RoleDescriptor.IndicesPrivileges.builder()
-                    .indices(ReservedRolesStore.ALERTS_INDEX_ALIAS, ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS)
+                    .indices(
+                        ReservedRolesStore.ALERTS_INDEX_ALIAS,
+                        ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS,
+                        ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS
+                    )
                    .privileges("read", "view_index_metadata")
                    .build(),
                // Universal Profiling
@ -846,7 +854,9 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
                        ReservedRolesStore.ALERTS_INDEX_ALIAS,
                        ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX,
                        ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_REINDEXED,
-                        ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS
+                        ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS,
+                        ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX,
+                        ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS
                    )
                    .privileges("read", "view_index_metadata", "write", "maintenance")
                    .build(),
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@ -624,6 +624,31 @@ public class ReservedRolesStoreTests extends ESTestCase {
            ".slo-observability." + randomAlphaOfLength(randomIntBetween(0, 13))
        ).forEach(index -> assertAllIndicesAccessAllowed(kibanaRole, index));

+        Arrays.asList(
+            ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)),
+            ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13))
+        ).forEach(index -> {
+            final IndexAbstraction indexAbstraction = mockIndexAbstraction(index);
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportCreateIndexAction.TYPE.name()).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportIndicesAliasesAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportPutMappingAction.TYPE.name()).test(indexAbstraction), is(true));
+            assertThat(
+                kibanaRole.indices().allowedIndicesMatcher(TransportAutoPutMappingAction.TYPE.name()).test(indexAbstraction),
+                is(true)
+            );
+            assertThat(
+                kibanaRole.indices().allowedIndicesMatcher(TransportUpdateSettingsAction.TYPE.name()).test(indexAbstraction),
+                is(true)
+            );
+
+            // Check view_index_metadata privilege
+            assertViewIndexMetadata(kibanaRole, index);
+
+            // Check read, write and maintenance privileges
+            assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(kibanaRole, index + randomIntBetween(0, 5));
+        });
+
        // read-only index access, including cross cluster
        Arrays.asList(".monitoring-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((index) -> {
            logger.info("index name [{}]", index);