From 550cddf5eee20ac34c1c7036700be45d9f2c5cc4 Mon Sep 17 00:00:00 2001 From: Ievgen Sorokopud Date: Tue, 3 Jun 2025 15:37:52 +0200 Subject: [PATCH] Granting `kibana_system` reserved role access to "all" privileges to `.adhoc.alerts*` and `.internal.adhoc.alerts*` indices (#127321) * Granting `kibana_system` reserved role access to "all" privileges to `.adhoc.alerts*` and `.internal.adhoc.alerts*` indices * Update docs/changelog/127321.yaml * [CI] Auto commit changes from spotless * Replace `"all"` with the specific privileges for the `kibana_system` role * Fix tests * Fix CI * Updated privileges * Updated privileges Add `"maintenance"` to allow `refresh=true` option on bulk API call. * Remove redundant code --------- Co-authored-by: elasticsearchmachine --- docs/changelog/127321.yaml | 6 +++++ .../KibanaOwnedReservedRoleDescriptors.java | 17 +++++++++++++ .../authz/store/ReservedRolesStore.java | 14 +++++++++-- .../authz/store/ReservedRolesStoreTests.java | 25 +++++++++++++++++++ 4 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 docs/changelog/127321.yaml diff --git a/docs/changelog/127321.yaml b/docs/changelog/127321.yaml new file mode 100644 index 000000000000..16191d9c3444 --- /dev/null +++ b/docs/changelog/127321.yaml @@ -0,0 +1,6 @@ +pr: 127321 +summary: Granting `kibana_system` reserved role access to "all" privileges to `.adhoc.alerts*` + and `.internal.adhoc.alerts*` indices +area: Authorization +type: enhancement +issues: [] diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index d3f974816b0d..ada07ccc31a5 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -265,6 +265,23 @@ class KibanaOwnedReservedRoleDescriptors { RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTS_INDEX_ALIAS).privileges("all").build(), // "Alerts as data" public index alias used in Security Solution // Kibana system user uses them to read / write alerts. + RoleDescriptor.IndicesPrivileges.builder() + .indices(ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX, ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS) + .privileges( + "create_index", + "read", + "write", + "view_index_metadata", + "maintenance", + RolloverAction.NAME, + TransportIndicesAliasesAction.NAME, + TransportPutMappingAction.TYPE.name(), + TransportAutoPutMappingAction.TYPE.name(), + TransportUpdateSettingsAction.TYPE.name() + ) + .build(), + // "Alerts as data" public index alias used in Security Solution + // Kibana system user uses them to read / write alerts. RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS).privileges("all").build(), // "Alerts as data" internal backing indices used in Security Solution // Kibana system user creates these indices; reads / writes to them via the diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 7251d233e25a..52fe69c949a4 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -59,6 +59,10 @@ public class ReservedRolesStore implements BiConsumer, ActionListene public static final String PREVIEW_ALERTS_BACKING_INDEX = ".internal.preview.alerts*"; public static final String PREVIEW_ALERTS_BACKING_INDEX_REINDEXED = ".reindexed-v8-internal.preview.alerts*"; + /** "Attack Discovery" ad-hoc alerts index */ + public static final String ADHOC_ALERTS_INDEX_ALIAS = ".adhoc.alerts*"; + public static final String ADHOC_ALERTS_BACKING_INDEX = ".internal.adhoc.alerts*"; + /** "Security Solutions" only lists index for value lists for detections */ public static final String LISTS_INDEX = ".lists-*"; public static final String LISTS_INDEX_REINDEXED_V8 = ".reindexed-v8-lists-*"; @@ -782,7 +786,11 @@ public class ReservedRolesStore implements BiConsumer, ActionListene .build(), // Alerts-as-data RoleDescriptor.IndicesPrivileges.builder() - .indices(ReservedRolesStore.ALERTS_INDEX_ALIAS, ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS) + .indices( + ReservedRolesStore.ALERTS_INDEX_ALIAS, + ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS, + ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS + ) .privileges("read", "view_index_metadata") .build(), // Universal Profiling @@ -846,7 +854,9 @@ public class ReservedRolesStore implements BiConsumer, ActionListene ReservedRolesStore.ALERTS_INDEX_ALIAS, ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX, ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_REINDEXED, - ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS + ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS, + ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX, + ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS ) .privileges("read", "view_index_metadata", "write", "maintenance") .build(), diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 3f28195e435f..9136a34c44b8 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -624,6 +624,31 @@ public class ReservedRolesStoreTests extends ESTestCase { ".slo-observability." + randomAlphaOfLength(randomIntBetween(0, 13)) ).forEach(index -> assertAllIndicesAccessAllowed(kibanaRole, index)); + Arrays.asList( + ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)), + ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)) + ).forEach(index -> { + final IndexAbstraction indexAbstraction = mockIndexAbstraction(index); + assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportCreateIndexAction.TYPE.name()).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportIndicesAliasesAction.NAME).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportPutMappingAction.TYPE.name()).test(indexAbstraction), is(true)); + assertThat( + kibanaRole.indices().allowedIndicesMatcher(TransportAutoPutMappingAction.TYPE.name()).test(indexAbstraction), + is(true) + ); + assertThat( + kibanaRole.indices().allowedIndicesMatcher(TransportUpdateSettingsAction.TYPE.name()).test(indexAbstraction), + is(true) + ); + + // Check view_index_metadata privilege + assertViewIndexMetadata(kibanaRole, index); + + // Check read, write and maintenance privileges + assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(kibanaRole, index + randomIntBetween(0, 5)); + }); + // read-only index access, including cross cluster Arrays.asList(".monitoring-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((index) -> { logger.info("index name [{}]", index);