elastic · przemekwitek · Apr 12, 2023 · Apr 12, 2023 · Apr 12, 2023
diff --git a/docs/changelog/95187.yaml b/docs/changelog/95187.yaml
@@ -0,0 +1,5 @@
+pr: 95187
+summary: Fix privileges check failures by adding `allow_restricted_indices` flag
+area: Transform
+type: bug
+issues: []
diff --git a/x-pack/plugin/transform/qa/multi-node-tests/build.gradle b/x-pack/plugin/transform/qa/multi-node-tests/build.gradle
@@ -50,4 +50,5 @@ testClusters.matching { it.name == 'javaRestTest' }.configureEach {
   user username: "john_junior", password: "x-pack-test-password", role: "transform_admin"
   user username: "bill_senior", password: "x-pack-test-password", role: "transform_admin,source_index_access"
   user username: "not_a_transform_admin", password: "x-pack-test-password", role: "source_index_access"
+  user username: "fleet_access", password: "x-pack-test-password", role: "transform_admin,source_index_access,fleet_index_access"
 }
diff --git a/x-pack/plugin/transform/qa/multi-node-tests/roles.yml b/x-pack/plugin/transform/qa/multi-node-tests/roles.yml
@@ -15,3 +15,11 @@ source_index_access:
         - view_index_metadata
         - indices:data/write/bulk
         - indices:data/write/index
+
+fleet_index_access:
+  indices:
+    # Give access to the Fleet indices (which are system indices)
+    - names: [ '.fleet*' ]
+      privileges:
+        - all
+      allow_restricted_indices: true
diff --git a/...ava/org/elasticsearch/xpack/transform/integration/TransformInsufficientPermissionsIT.java b/...ava/org/elasticsearch/xpack/transform/integration/TransformInsufficientPermissionsIT.java
@@ -50,6 +50,8 @@ public class TransformInsufficientPermissionsIT extends TransformRestTestCase {
     private static final String SENIOR_HEADER = basicAuthHeaderValue(SENIOR_USERNAME, TEST_PASSWORD_SECURE_STRING);
     private static final String NOT_A_TRANSFORM_ADMIN = "not_a_transform_admin";
     private static final String NOT_A_TRANSFORM_ADMIN_HEADER = basicAuthHeaderValue(NOT_A_TRANSFORM_ADMIN, TEST_PASSWORD_SECURE_STRING);
+    private static final String FLEET_ACCESS_USERNAME = "fleet_access";
+    private static final String FLEET_ACCESS_HEADER = basicAuthHeaderValue(FLEET_ACCESS_USERNAME, TEST_PASSWORD_SECURE_STRING);
 
     private static final int NUM_USERS = 28;
 
@@ -388,6 +390,26 @@ public void testPreviewRequestFailsPermissionsCheck() throws Exception {
         previewTransform(Strings.toString(config), RequestOptions.DEFAULT.toBuilder().addHeader(AUTH_KEY, SENIOR_HEADER).build());
     }
 
+    public void testFleetIndicesAccess() throws Exception {
+        String transformId = "transform-permissions-fleet";
+        String sourceIndexPattern = ".fleet-agents*";
+        String destIndexName = transformId + "-dest";
+
+        TransformConfig config = createConfig(transformId, sourceIndexPattern, destIndexName, false);
+
+        ResponseException e = expectThrows(
+            ResponseException.class,
+            () -> previewTransform(
+                Strings.toString(config),
+                RequestOptions.DEFAULT.toBuilder().addHeader(AUTH_KEY, FLEET_ACCESS_HEADER).build()
+            )
+        );
+        // The _preview request got past the authorization step (which is what interests us in this test) but failed because the referenced
+        // source indices do not exist.
+        assertThat(e.getResponse().getStatusLine().getStatusCode(), is(equalTo(400)));
+        assertThat(e.getMessage(), containsString("Source indices have been deleted or closed."));
+    }
+
     @Override
     protected Settings restAdminSettings() {
         return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", TEST_ADMIN_HEADER).build();

diff --git a/...orm/src/main/java/org/elasticsearch/xpack/transform/action/TransformPrivilegeChecker.java b/...orm/src/main/java/org/elasticsearch/xpack/transform/action/TransformPrivilegeChecker.java
@@ -95,6 +95,7 @@ private static HasPrivilegesRequest buildPrivilegesRequest(
                 .indices(sourceIndex)
                 // We need to read the source indices mapping to deduce the destination mapping, hence the need for view_index_metadata
                 .privileges("read", "view_index_metadata")
+                .allowRestrictedIndices(true)
                 .build();
             indicesPrivileges.add(sourceIndexPrivileges);
         }
@@ -121,6 +122,7 @@ private static HasPrivilegesRequest buildPrivilegesRequest(
             RoleDescriptor.IndicesPrivileges destIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder()
                 .indices(destIndex)
                 .privileges(destPrivileges)
+                .allowRestrictedIndices(true)
                 .build();
             indicesPrivileges.add(destIndexPrivileges);
         }

diff --git a/...rc/test/java/org/elasticsearch/xpack/transform/action/TransformPrivilegeCheckerTests.java b/...rc/test/java/org/elasticsearch/xpack/transform/action/TransformPrivilegeCheckerTests.java
@@ -127,6 +127,7 @@ public void testCheckPrivileges_NoCheckDestIndexPrivileges() {
                 RoleDescriptor.IndicesPrivileges sourceIndicesPrivileges = request.indexPrivileges()[0];
                 assertThat(sourceIndicesPrivileges.getIndices(), is(arrayContaining(SOURCE_INDEX_NAME)));
                 assertThat(sourceIndicesPrivileges.getPrivileges(), is(arrayContaining("read", "view_index_metadata")));
+                assertThat(sourceIndicesPrivileges.allowRestrictedIndices(), is(true));
             }, e -> fail(e.getMessage()))
         );
     }
@@ -169,9 +170,11 @@ public void testCheckPrivileges_CheckDestIndexPrivileges_DestIndexDoesNotExist()
                 RoleDescriptor.IndicesPrivileges sourceIndicesPrivileges = request.indexPrivileges()[0];
                 assertThat(sourceIndicesPrivileges.getIndices(), is(arrayContaining(SOURCE_INDEX_NAME)));
                 assertThat(sourceIndicesPrivileges.getPrivileges(), is(arrayContaining("read", "view_index_metadata")));
+                assertThat(sourceIndicesPrivileges.allowRestrictedIndices(), is(true));
                 RoleDescriptor.IndicesPrivileges destIndicesPrivileges = request.indexPrivileges()[1];
                 assertThat(destIndicesPrivileges.getIndices(), is(arrayContaining(DEST_INDEX_NAME)));
                 assertThat(destIndicesPrivileges.getPrivileges(), is(arrayContaining("read", "index", "create_index")));
+                assertThat(destIndicesPrivileges.allowRestrictedIndices(), is(true));
             }, e -> fail(e.getMessage()))
         );
     }
@@ -201,9 +204,11 @@ public void testCheckPrivileges_CheckDestIndexPrivileges_DestIndexExists() {
                 RoleDescriptor.IndicesPrivileges sourceIndicesPrivileges = request.indexPrivileges()[0];
                 assertThat(sourceIndicesPrivileges.getIndices(), is(arrayContaining(SOURCE_INDEX_NAME)));
                 assertThat(sourceIndicesPrivileges.getPrivileges(), is(arrayContaining("read", "view_index_metadata")));
+                assertThat(sourceIndicesPrivileges.allowRestrictedIndices(), is(true));
                 RoleDescriptor.IndicesPrivileges destIndicesPrivileges = request.indexPrivileges()[1];
                 assertThat(destIndicesPrivileges.getIndices(), is(arrayContaining(DEST_INDEX_NAME)));
                 assertThat(destIndicesPrivileges.getPrivileges(), is(arrayContaining("read", "index")));
+                assertThat(destIndicesPrivileges.allowRestrictedIndices(), is(true));
             }, e -> fail(e.getMessage()))
         );
     }
@@ -235,6 +240,7 @@ public void testCheckPrivileges_NoLocalIndices_CheckDestIndexPrivileges_DestInde
                 RoleDescriptor.IndicesPrivileges destIndicesPrivileges = request.indexPrivileges()[0];
                 assertThat(destIndicesPrivileges.getIndices(), is(arrayContaining(DEST_INDEX_NAME)));
                 assertThat(destIndicesPrivileges.getPrivileges(), is(arrayContaining("read", "index")));
+                assertThat(destIndicesPrivileges.allowRestrictedIndices(), is(true));
             }, e -> fail(e.getMessage()))
         );
     }
@@ -267,9 +273,11 @@ public void testCheckPrivileges_CheckDestIndexPrivileges_DestIndexExistsWithRete
                 RoleDescriptor.IndicesPrivileges sourceIndicesPrivileges = request.indexPrivileges()[0];
                 assertThat(sourceIndicesPrivileges.getIndices(), is(arrayContaining(SOURCE_INDEX_NAME)));
                 assertThat(sourceIndicesPrivileges.getPrivileges(), is(arrayContaining("read", "view_index_metadata")));
+                assertThat(sourceIndicesPrivileges.allowRestrictedIndices(), is(true));
                 RoleDescriptor.IndicesPrivileges destIndicesPrivileges = request.indexPrivileges()[1];
                 assertThat(destIndicesPrivileges.getIndices(), is(arrayContaining(DEST_INDEX_NAME)));
                 assertThat(destIndicesPrivileges.getPrivileges(), is(arrayContaining("read", "index", "delete")));
+                assertThat(destIndicesPrivileges.allowRestrictedIndices(), is(true));
             }, e -> fail(e.getMessage()))
         );
     }