diff --git a/elastic/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/elastic/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index d8889003f3661..8512d29f3901c 100644 --- a/elastic/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/elastic/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -768,7 +768,7 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { "logs-*", "synthetics-*", "traces-*", - "/metrics-.*&~(metrics-endpoint\\.metadata_current_default)/", + "/metrics-.*&~(metrics-endpoint\\.metadata_current_default.*)/", ".logs-endpoint.action.responses-*", ".logs-endpoint.diagnostic.collection-*", ".logs-endpoint.actions-*", @@ -820,9 +820,9 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { .build(), RoleDescriptor.IndicesPrivileges.builder() .indices( - "metrics-endpoint.metadata_current_default", - ".metrics-endpoint.metadata_current_default", - ".metrics-endpoint.metadata_united_default" + "metrics-endpoint.metadata_current_default*", + ".metrics-endpoint.metadata_current_default*", + ".metrics-endpoint.metadata_united_default*" ) .privileges("create_index", "delete_index", "read", "index", IndicesAliasesAction.NAME, UpdateSettingsAction.NAME) .build(), @@ -845,7 +845,7 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { .privileges("read", "view_index_metadata") .build(), RoleDescriptor.IndicesPrivileges.builder() - .indices("logs-cloud_security_posture.findings_latest-default", "logs-cloud_security_posture.scores-default") + .indices("logs-cloud_security_posture.findings_latest-default*", "logs-cloud_security_posture.scores-default*") .privileges("create_index", "read", "index", "delete", IndicesAliasesAction.NAME, UpdateSettingsAction.NAME) .build() }, null, diff --git a/elastic/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/elastic/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 71554880cd8ca..e3ac7164e9564 100644 --- a/elastic/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/elastic/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -997,7 +997,10 @@ public void testKibanaSystemRole() { Arrays.asList( "metrics-endpoint.metadata_current_default", ".metrics-endpoint.metadata_current_default", - ".metrics-endpoint.metadata_united_default" + ".metrics-endpoint.metadata_united_default", + "metrics-endpoint.metadata_current_default-" + Version.CURRENT, + ".metrics-endpoint.metadata_current_default-" + Version.CURRENT, + ".metrics-endpoint.metadata_united_default-" + Version.CURRENT ).forEach(indexName -> { logger.info("index name [{}]", indexName); final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); @@ -1079,33 +1082,35 @@ public void testKibanaSystemRole() { assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true)); }); - Arrays.asList("logs-cloud_security_posture.findings_latest-default", "logs-cloud_security_posture.scores-default") - .forEach(indexName -> { - logger.info("index name [{}]", indexName); - final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); - // Allow indexing - assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(indexAbstraction), is(true)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(indexAbstraction), is(true)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(indexAbstraction), is(true)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateAction.NAME).test(indexAbstraction), is(true)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(BulkAction.NAME).test(indexAbstraction), is(true)); - // Allow create and delete index, modifying aliases, and updating index settings - assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(indexAbstraction), is(true)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(indexAbstraction), is(true)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateDataStreamAction.NAME).test(indexAbstraction), is(true)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAliasesAction.NAME).test(indexAbstraction), is(true)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(IndicesAliasesAction.NAME).test(indexAbstraction), is(true)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true)); - - // Implied by the overall view_index_metadata and monitor privilege - assertViewIndexMetadata(kibanaRole, indexName); - assertThat( - kibanaRole.indices() - .allowedIndicesMatcher("indices:monitor/" + randomAlphaOfLengthBetween(3, 8)) - .test(indexAbstraction), - is(true) - ); - }); + Arrays.asList( + "logs-cloud_security_posture.findings_latest-default", + "logs-cloud_security_posture.scores-default", + "logs-cloud_security_posture.findings_latest-default-" + Version.CURRENT, + "logs-cloud_security_posture.scores-default-" + Version.CURRENT + ).forEach(indexName -> { + logger.info("index name [{}]", indexName); + final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); + // Allow indexing + assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateAction.NAME).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(BulkAction.NAME).test(indexAbstraction), is(true)); + // Allow create and delete index, modifying aliases, and updating index settings + assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateDataStreamAction.NAME).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAliasesAction.NAME).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(IndicesAliasesAction.NAME).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true)); + + // Implied by the overall view_index_metadata and monitor privilege + assertViewIndexMetadata(kibanaRole, indexName); + assertThat( + kibanaRole.indices().allowedIndicesMatcher("indices:monitor/" + randomAlphaOfLengthBetween(3, 8)).test(indexAbstraction), + is(true) + ); + }); // Ensure privileges necessary for ILM policies in APM & Endpoint packages Arrays.asList(