From c122c747168b0175c09f68f58fb92c6a81c93bae Mon Sep 17 00:00:00 2001 From: Davis Plumlee <56367316+dplumlee@users.noreply.github.com> Date: Wed, 17 Nov 2021 20:17:07 -0500 Subject: [PATCH] Grants kibana_system reserved role access to .preview.alerts* index (#80746) --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 4 ++++ .../core/security/authz/store/ReservedRolesStoreTests.java | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index b1f65884d5641..1d578fbdc2edd 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -42,6 +42,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene public static final String ALERTS_LEGACY_INDEX = ".siem-signals*"; public static final String ALERTS_BACKING_INDEX = ".internal.alerts*"; public static final String ALERTS_INDEX_ALIAS = ".alerts*"; + public static final String PREVIEW_ALERTS_INDEX_ALIAS = ".preview.alerts*"; public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor( "superuser", @@ -674,6 +675,9 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { // "Alerts as data" public index aliases used in Security Solution, Observability, etc. // Kibana system user uses them to read / write alerts. RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTS_INDEX_ALIAS).privileges("all").build(), + // "Alerts as data" public index alias used in Security Solution + // Kibana system user uses them to read / write alerts. + RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS).privileges("all").build(), // Endpoint / Fleet policy responses. Kibana requires read access to send telemetry RoleDescriptor.IndicesPrivileges.builder().indices("metrics-endpoint.policy-*").privileges("read").build(), // Endpoint metrics. Kibana requires read access to send telemetry diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 667e98ef4a035..07057120eb78d 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -472,7 +472,8 @@ public void testKibanaSystemRole() { ".apm-custom-link", ReservedRolesStore.ALERTS_LEGACY_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), - ReservedRolesStore.ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)) + ReservedRolesStore.ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)), + ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)) ).forEach(index -> assertAllIndicesAccessAllowed(kibanaRole, index)); // read-only index access, including cross cluster