Add Application privileges for ML to apm_user

[sorenlouv]

APM has an integration with ML. In 7.8 and earlier this worked out of the box for users with the apm_user role because it was granted read access to .ml-anomalies*:

https://github.com/elastic/elasticsearch/blob/ea39a471a7a33eaaef667009d5c0c2b59b5c93d4/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java#L178-L186

In 7.9 it is no longer recommended to read directly from the .ml-anomalies* index and to retrieve ML data APM now uses the ML client which handles the ES querying with an internal user.

To keep the out-of-the-box experience great, we should make sure that users with apm_user role can still read ML jobs and anomalies.

Afaict we need to apply application privileges to ML. In this case "read" access. This can be done via the Security UI in Kibana:

How can this be added to the apm_user role by default?

Would it be something like this?

.put("apm_user", new RoleDescriptor("apm_user", null, 
    new RoleDescriptor.IndicesPrivileges[] {
        // APM index privileges
        RoleDescriptor.IndicesPrivileges.builder().indices("apm-*")
            .privileges("read", "view_index_metadata").build(),

        // Annotations index privileges
        RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*")
            .privileges("read", "view_index_metadata").build(),
        RoleDescriptor.IndicesPrivileges.builder().indices("observability-annotations")
            .privileges("read", "view_index_metadata").build()
    }, 

    // ML application privileges
    new RoleDescriptor.ApplicationResourcePrivileges[] {
        RoleDescriptor.ApplicationResourcePrivileges.builder()
            .application("kibana-*").resources("*").privileges("reserved_ml_user").build()
    },                    
    null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null))

[legrego]

Thanks for opening this @sqren. I think we'll need changes to both Kibana and ES to support this, but I don't think it'll be too difficult.

I think we'll want to introduce a new reserved privilege for the apm_user role. Perhaps reserved_ml_apm_user. We can't use the existing reserved_ml_user privilege because that grants more access than what you previously had (including access to the ML app itself).

Tasks

• Introduce new reserved privilege (Kibana, security team)
• Update nav link authorization model so nav links aren't automatically granted for all users of a feature (Kibana, security team)
• Update apm_user role to take advantage of this new reserved privilege (ES, security team)
• Add functional tests for APM to prevent future regressions (Kibana, APM Team)

[elasticmachine]

Pinging @elastic/ml-ui (:ml)

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[elasticmachine]

Pinging @elastic/apm-ui (Team:apm)