From 1d38ed96be64df8c508d97ad951d1bcae8652617 Mon Sep 17 00:00:00 2001
From: BigPandaToo <lyudmila.fokina@elastic.co>
Date: Wed, 9 Dec 2020 22:54:10 +0100
Subject: [PATCH] Adding "read ingest pipeline" cluster privilege

The new privilege will allow to run ingest tools with minimal
privilege to check whether a
pipeline exists, without being able to modify it.
This privilege also support simulate pipeline too since it is a readonly
 operation.

 Resolve #48028
---
 .../client/security/user/privileges/Role.java            | 7 ++++---
 .../elasticsearch/action/ingest/GetPipelineAction.java   | 2 +-
 .../action/ingest/SimulatePipelineAction.java            | 2 +-
 .../en/rest-api/security/get-builtin-privileges.asciidoc | 1 +
 .../authz/privilege/ClusterPrivilegeResolver.java        | 9 +++++++--
 .../elasticsearch/xpack/security/operator/Constants.java | 4 ++--
 6 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java b/client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java
index bd1b6a50cad6e..2fa5a8da7de61 100644
--- a/client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java
+++ b/client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java
@@ -312,6 +312,7 @@ public static class ClusterPrivilegeName {
         public static final String MANAGE_ROLLUP = "manage_rollup";
         public static final String MANAGE_INDEX_TEMPLATES = "manage_index_templates";
         public static final String MANAGE_INGEST_PIPELINES = "manage_ingest_pipelines";
+        public static final String READ_INGEST_PIPELINES = "read_ingest_pipelines";
         public static final String TRANSPORT_CLIENT = "transport_client";
         public static final String MANAGE_SECURITY = "manage_security";
         public static final String MANAGE_SAML = "manage_saml";
@@ -326,9 +327,9 @@ public static class ClusterPrivilegeName {
         public static final String MANAGE_ENRICH = "manage_enrich";
         public static final String[] ALL_ARRAY = new String[] { NONE, ALL, MONITOR, MONITOR_TRANSFORM_DEPRECATED, MONITOR_TRANSFORM,
             MONITOR_ML, MONITOR_WATCHER, MONITOR_ROLLUP, MANAGE, MANAGE_TRANSFORM_DEPRECATED, MANAGE_TRANSFORM,
-            MANAGE_ML, MANAGE_WATCHER, MANAGE_ROLLUP, MANAGE_INDEX_TEMPLATES, MANAGE_INGEST_PIPELINES, TRANSPORT_CLIENT,
-            MANAGE_SECURITY, MANAGE_SAML, MANAGE_OIDC, MANAGE_TOKEN, MANAGE_PIPELINE, MANAGE_AUTOSCALING, MANAGE_CCR, READ_CCR,
-            MANAGE_ILM, READ_ILM, MANAGE_ENRICH };
+            MANAGE_ML, MANAGE_WATCHER, MANAGE_ROLLUP, MANAGE_INDEX_TEMPLATES, MANAGE_INGEST_PIPELINES, READ_INGEST_PIPELINES,
+            TRANSPORT_CLIENT, MANAGE_SECURITY, MANAGE_SAML, MANAGE_OIDC, MANAGE_TOKEN, MANAGE_PIPELINE, MANAGE_AUTOSCALING, MANAGE_CCR,
+            READ_CCR, MANAGE_ILM, READ_ILM, MANAGE_ENRICH };
     }
 
     /**
diff --git a/server/src/main/java/org/elasticsearch/action/ingest/GetPipelineAction.java b/server/src/main/java/org/elasticsearch/action/ingest/GetPipelineAction.java
index ebc43dfe663b9..9c68cc622c341 100644
--- a/server/src/main/java/org/elasticsearch/action/ingest/GetPipelineAction.java
+++ b/server/src/main/java/org/elasticsearch/action/ingest/GetPipelineAction.java
@@ -24,7 +24,7 @@
 public class GetPipelineAction extends ActionType<GetPipelineResponse> {
 
     public static final GetPipelineAction INSTANCE = new GetPipelineAction();
-    public static final String NAME = "cluster:admin/ingest/pipeline/get";
+    public static final String NAME = "cluster:monitor/ingest/pipeline/get";
 
     public GetPipelineAction() {
         super(NAME, GetPipelineResponse::new);
diff --git a/server/src/main/java/org/elasticsearch/action/ingest/SimulatePipelineAction.java b/server/src/main/java/org/elasticsearch/action/ingest/SimulatePipelineAction.java
index 3e76c96834c8a..51b19e1ee6ee5 100644
--- a/server/src/main/java/org/elasticsearch/action/ingest/SimulatePipelineAction.java
+++ b/server/src/main/java/org/elasticsearch/action/ingest/SimulatePipelineAction.java
@@ -24,7 +24,7 @@
 public class SimulatePipelineAction extends ActionType<SimulatePipelineResponse> {
 
     public static final SimulatePipelineAction INSTANCE = new SimulatePipelineAction();
-    public static final String NAME = "cluster:admin/ingest/pipeline/simulate";
+    public static final String NAME = "cluster:monitor/ingest/pipeline/simulate";
 
     public SimulatePipelineAction() {
         super(NAME, SimulatePipelineResponse::new);
diff --git a/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc b/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc
index 62815745615bf..3ac95f20bc845 100644
--- a/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc
+++ b/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc
@@ -117,6 +117,7 @@ A successful call returns an object with "cluster" and "index" fields.
     "none",
     "read",
     "read_cross_cluster",
+    "read_ingest_pipelines",
     "view_index_metadata",
     "write"
   ]
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
index 4d2b254f3d90d..1433fc4e66313 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
@@ -65,7 +65,9 @@ public class ClusterPrivilegeResolver {
     private static final Set<String> TRANSPORT_CLIENT_PATTERN = Set.of("cluster:monitor/nodes/liveness", "cluster:monitor/state");
     private static final Set<String> MANAGE_IDX_TEMPLATE_PATTERN = Set.of("indices:admin/template/*", "indices:admin/index_template/*",
         "cluster:admin/component_template/*");
-    private static final Set<String> MANAGE_INGEST_PIPELINE_PATTERN = Set.of("cluster:admin/ingest/pipeline/*");
+    private static final Set<String> MANAGE_INGEST_PIPELINE_PATTERN = Set.of("cluster:admin/ingest/pipeline/*",
+        "cluster:monitor/ingest/pipeline/*");
+    private static final Set<String> READ_INGEST_PIPELINE_PATTERN = Set.of("cluster:monitor/ingest/pipeline/*");
     private static final Set<String> MANAGE_ROLLUP_PATTERN = Set.of("cluster:admin/xpack/rollup/*", "cluster:monitor/xpack/rollup/*");
     private static final Set<String> MANAGE_CCR_PATTERN =
         Set.of("cluster:admin/xpack/ccr/*", ClusterStateAction.NAME, HasPrivilegesAction.NAME);
@@ -104,6 +106,8 @@ public class ClusterPrivilegeResolver {
         new ActionClusterPrivilege("manage_index_templates", MANAGE_IDX_TEMPLATE_PATTERN);
     public static final NamedClusterPrivilege MANAGE_INGEST_PIPELINES =
         new ActionClusterPrivilege("manage_ingest_pipelines", MANAGE_INGEST_PIPELINE_PATTERN);
+    public static final NamedClusterPrivilege READ_INGEST_PIPELINES =
+        new ActionClusterPrivilege("read_ingest_pipelines", READ_INGEST_PIPELINE_PATTERN);
     public static final NamedClusterPrivilege TRANSPORT_CLIENT = new ActionClusterPrivilege("transport_client",
         TRANSPORT_CLIENT_PATTERN);
     public static final NamedClusterPrivilege MANAGE_SECURITY = new ActionClusterPrivilege("manage_security", ALL_SECURITY_PATTERN,
@@ -113,7 +117,7 @@ public class ClusterPrivilegeResolver {
     public static final NamedClusterPrivilege MANAGE_API_KEY = new ActionClusterPrivilege("manage_api_key", MANAGE_API_KEY_PATTERN);
     public static final NamedClusterPrivilege GRANT_API_KEY = new ActionClusterPrivilege("grant_api_key", GRANT_API_KEY_PATTERN);
     public static final NamedClusterPrivilege MANAGE_PIPELINE = new ActionClusterPrivilege("manage_pipeline", Set.of("cluster:admin" +
-        "/ingest/pipeline/*"));
+        "/ingest/pipeline/*", "cluster:monitor/ingest/pipeline/*"));
     public static final NamedClusterPrivilege MANAGE_AUTOSCALING = new ActionClusterPrivilege(
         "manage_autoscaling",
         Set.of("cluster:admin/autoscaling/*")
@@ -152,6 +156,7 @@ public class ClusterPrivilegeResolver {
         MANAGE_WATCHER,
         MANAGE_IDX_TEMPLATES,
         MANAGE_INGEST_PIPELINES,
+        READ_INGEST_PIPELINES,
         TRANSPORT_CLIENT,
         MANAGE_SECURITY,
         MANAGE_SAML,
diff --git a/x-pack/plugin/security/qa/operator-privileges-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/operator/Constants.java b/x-pack/plugin/security/qa/operator-privileges-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/operator/Constants.java
index 7a1f63529b1a1..0f431076d1046 100644
--- a/x-pack/plugin/security/qa/operator-privileges-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/operator/Constants.java
+++ b/x-pack/plugin/security/qa/operator-privileges-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/operator/Constants.java
@@ -36,9 +36,7 @@ public class Constants {
         "cluster:admin/indices/dangling/import",
         "cluster:admin/indices/dangling/list",
         "cluster:admin/ingest/pipeline/delete",
-        "cluster:admin/ingest/pipeline/get",
         "cluster:admin/ingest/pipeline/put",
-        "cluster:admin/ingest/pipeline/simulate",
         "cluster:admin/ingest/processor/grok/get",
         "cluster:admin/logstash/pipeline/delete",
         "cluster:admin/logstash/pipeline/get",
@@ -213,6 +211,8 @@ public class Constants {
         "cluster:monitor/data_frame/get",
         "cluster:monitor/data_frame/stats/get",
         "cluster:monitor/health",
+        "cluster:monitor/ingest/pipeline/get",
+        "cluster:monitor/ingest/pipeline/simulate",
         "cluster:monitor/main",
         "cluster:monitor/nodes/hot_threads",
         "cluster:monitor/nodes/info",