Adding "read ingest pipeline" cluster privilege

Resolving bwc, renaming the action

Resolve elastic#48028

server/src/main/java/org/elasticsearch/action/ingest/GetPipelineAction.java

@@ -24,7 +24,7 @@
 public class GetPipelineAction extends ActionType<GetPipelineResponse> {
 
     public static final GetPipelineAction INSTANCE = new GetPipelineAction();
-    public static final String NAME = "cluster:monitor/ingest/pipeline/get";
+    public static final String NAME = "cluster:admin/ingest/pipeline/get";
 
     public GetPipelineAction() {
         super(NAME, GetPipelineResponse::new);

server/src/main/java/org/elasticsearch/action/ingest/SimulatePipelineAction.java

@@ -24,7 +24,7 @@
 public class SimulatePipelineAction extends ActionType<SimulatePipelineResponse> {
 
     public static final SimulatePipelineAction INSTANCE = new SimulatePipelineAction();
-    public static final String NAME = "cluster:monitor/ingest/pipeline/simulate";
+    public static final String NAME = "cluster:admin/ingest/pipeline/simulate";
 
     public SimulatePipelineAction() {
         super(NAME, SimulatePipelineResponse::new);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java

@@ -15,6 +15,8 @@
 import org.elasticsearch.action.admin.cluster.snapshots.get.GetSnapshotsAction;
 import org.elasticsearch.action.admin.cluster.snapshots.status.SnapshotsStatusAction;
 import org.elasticsearch.action.admin.cluster.state.ClusterStateAction;
+import org.elasticsearch.action.ingest.GetPipelineAction;
+import org.elasticsearch.action.ingest.SimulatePipelineAction;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.xpack.core.ilm.action.GetLifecycleAction;
 import org.elasticsearch.xpack.core.ilm.action.GetStatusAction;
@@ -65,9 +67,8 @@ public class ClusterPrivilegeResolver {
     private static final Set<String> TRANSPORT_CLIENT_PATTERN = Set.of("cluster:monitor/nodes/liveness", "cluster:monitor/state");
     private static final Set<String> MANAGE_IDX_TEMPLATE_PATTERN = Set.of("indices:admin/template/*", "indices:admin/index_template/*",
         "cluster:admin/component_template/*");
-    private static final Set<String> MANAGE_INGEST_PIPELINE_PATTERN = Set.of("cluster:admin/ingest/pipeline/*",
-        "cluster:monitor/ingest/pipeline/*");
-    private static final Set<String> READ_INGEST_PIPELINE_PATTERN = Set.of("cluster:monitor/ingest/pipeline/*");
+    private static final Set<String> MANAGE_INGEST_PIPELINE_PATTERN = Set.of("cluster:admin/ingest/pipeline/*");
+    private static final Set<String> READ_INGEST_PIPELINE_PATTERN = Set.of(GetPipelineAction.NAME, SimulatePipelineAction.NAME);
     private static final Set<String> MANAGE_ROLLUP_PATTERN = Set.of("cluster:admin/xpack/rollup/*", "cluster:monitor/xpack/rollup/*");
     private static final Set<String> MANAGE_CCR_PATTERN =
         Set.of("cluster:admin/xpack/ccr/*", ClusterStateAction.NAME, HasPrivilegesAction.NAME);
@@ -117,7 +118,7 @@ public class ClusterPrivilegeResolver {
     public static final NamedClusterPrivilege MANAGE_API_KEY = new ActionClusterPrivilege("manage_api_key", MANAGE_API_KEY_PATTERN);
     public static final NamedClusterPrivilege GRANT_API_KEY = new ActionClusterPrivilege("grant_api_key", GRANT_API_KEY_PATTERN);
     public static final NamedClusterPrivilege MANAGE_PIPELINE = new ActionClusterPrivilege("manage_pipeline", Set.of("cluster:admin" +
-        "/ingest/pipeline/*", "cluster:monitor/ingest/pipeline/*"));
+        "/ingest/pipeline/*"));
     public static final NamedClusterPrivilege MANAGE_AUTOSCALING = new ActionClusterPrivilege(
         "manage_autoscaling",
         Set.of("cluster:admin/autoscaling/*")

x-pack/plugin/ml/qa/ml-with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/MlWithSecurityUserRoleIT.java

@@ -56,8 +56,7 @@ public void test() throws IOException {
             assertThat(ae.getMessage(),
                 either(containsString("action [cluster:monitor/xpack/ml"))
                     .or(containsString("action [cluster:admin/xpack/ml"))
-                    .or(containsString("action [cluster:admin/ingest"))
-                    .or(containsString("action [cluster:monitor/ingest")));
+                    .or(containsString("action [cluster:admin/ingest")));
             assertThat(ae.getMessage(), containsString("returned [403 Forbidden]"));
             assertThat(ae.getMessage(), containsString("is unauthorized for user [ml_user]"));
         }

x-pack/plugin/security/qa/operator-privileges-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/operator/Constants.java

@@ -36,7 +36,9 @@ public class Constants {
         "cluster:admin/indices/dangling/import",
         "cluster:admin/indices/dangling/list",
         "cluster:admin/ingest/pipeline/delete",
+        "cluster:admin/ingest/pipeline/get",
         "cluster:admin/ingest/pipeline/put",
+        "cluster:admin/ingest/pipeline/simulate",
         "cluster:admin/ingest/processor/grok/get",
         "cluster:admin/logstash/pipeline/delete",
         "cluster:admin/logstash/pipeline/get",
@@ -211,8 +213,6 @@ public class Constants {
         "cluster:monitor/data_frame/get",
         "cluster:monitor/data_frame/stats/get",
         "cluster:monitor/health",
-        "cluster:monitor/ingest/pipeline/get",
-        "cluster:monitor/ingest/pipeline/simulate",
         "cluster:monitor/main",
         "cluster:monitor/nodes/hot_threads",
         "cluster:monitor/nodes/info",

x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml

@@ -15,5 +15,5 @@ setup:
   # This is fragile - it needs to be updated every time we add a new cluster/index privilege
   # I would much prefer we could just check that specific entries are in the array, but we don't have
   # an assertion for that
-  - length: { "cluster" : 38 }
+  - length: { "cluster" : 37 }
   - length: { "index" : 19 }