Consider adding a File Upload or Add Data reserved role

[jgowdyelastic]

It would be useful if we shipped a reserved role which granted all of the privileges a user needs to use the File Upload feature.

Currently a non admin user who does not have any ML privileges will need to be using specifically crafted permissions to be able to use the File Upload feature.

The user can be assigned the ingest_admin role, but this only covers some of the required permissions.

They also need create, create_index, manage and read permissions for the index they have yet to create.
If creating a new role I will normally assign these privileges to * index or a partial index name with a wildcard. The latter restricts the user to only creating indices with that pattern.

They must also have a kibana privilege All for Discover to allow the user to analyse the selected file.
Originally ML granted users the 'fileUpload:analyzeFile' capability which provides the ability to analyse the file using the Find Structure API
It was decided that a "next best" Kibana feature should grant this capability rather than ML, Discover was chosen and so now a user with All Discover kibana privileges is granted 'fileUpload:analyzeFile' and is able to analyse files.

In summary, ideally the new "Add Data" or "File Upload" role would have these privileges:

• manage_ingest_pipelines cluster privilege.
• create, create_index, manage and read index privilege for * indices
• All Discover kibana privilege

This single role would allow a user to use the File Upload feature in its entirety.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[legrego]

We generally try not to introduce reserved roles for specific Kibana features -- the apm_user role is a notable exception, but I think in hindsight we would have made a different decision.

This feature is particularly tricky since it needs access to user indices, and having a reserved role grant that access is something that probably won't be useful to a large number of folks: either we grant access to *, which is probably too permissive, or we grant access to some-subset-of-indices-*, in which case we are likely to choose a subset that won't work for most.

They must also have a kibana privilege All for Discover to allow the user to analyse the selected file.
Originally ML granted users the 'fileUpload:analyzeFile' capability which provides the ability to analyse the file using the Find Structure API
It was decided that a "next best" Kibana feature should grant this capability rather than ML, Discover was chosen and so now a user with All Discover kibana privileges is granted 'fileUpload:analyzeFile' and is able to analyse files.

I think another solution to the Kibana part of the problem is to grant this privilege to more features. Which features should grant this privilege is a broader discussion, but I could see this making sense for a good number of them.

Rather than introduce a reserved role to satisfy this need, I think a better approach would be to invest in a role management experience that caters to solutions, which can in turn assist with enabling features such as file upload (such as #80634). I could envision file upload becoming a feature that solutions embed into their UX, in which case they might have unique requirements about the specific privileges they need.

[jgowdyelastic]

the fileUpload:analyzeFile capability just enables the initial analysis of the user's file, I think the real problem is the required elasticsearch privileges for uploading the file to a new index.

We generally try not to introduce reserved roles for specific Kibana features

Yes, I was expecting this, and it does make sense.

[legrego]

the fileUpload:analyzeFile capability just enables the initial analysis of the user's file, I think the real problem is the required elasticsearch privileges for uploading the file to a new index.

Makes sense, thanks. In that case, I am going to close this in favor of #80634, which will address this specific problem in a more holistic manner