From f6c78228acd4e07ba7a60dd9ccb64fd5839a180b Mon Sep 17 00:00:00 2001
From: Kevin Logan <56395104+kevinlog@users.noreply.github.com>
Date: Tue, 2 Nov 2021 21:37:00 -0400
Subject: [PATCH] [Security Solution] Add proper permissions to fleet server
 for Endpoint response index (#80238)

This PR adds the proper permissions for fleet server to create and write
documents to the .logs-endpoint.action.responses-* index. The Security
Endpoint, run by the Agent, streams action responses to this index which is
used by the Security app to determine if actions are complete, etc.

This was initially missed during testing because of using locally running fleet
servers that were given superuser permissions, hence bypassing the fleet server
user.

This PR adds the index to fleet server so that the Endpoint gets the key that
it needs to write to the index properly.

For more information, see this ticket: elastic/kibana#116715
---
 .../en/rest-api/security/get-service-accounts.asciidoc   | 3 ++-
 .../xpack/security/authc/service/ServiceAccountIT.java   | 3 ++-
 .../security/authc/service/ElasticServiceAccounts.java   | 9 ++++++++-
 .../authc/service/ElasticServiceAccountsTests.java       | 3 ++-
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/x-pack/docs/en/rest-api/security/get-service-accounts.asciidoc b/x-pack/docs/en/rest-api/security/get-service-accounts.asciidoc
index d288ab3ea1376..ff308050813af 100644
--- a/x-pack/docs/en/rest-api/security/get-service-accounts.asciidoc
+++ b/x-pack/docs/en/rest-api/security/get-service-accounts.asciidoc
@@ -74,7 +74,8 @@ GET /_security/service/elastic/fleet-server
             "metrics-*",
             "traces-*",
             "synthetics-*",
-            ".logs-endpoint.diagnostic.collection-*"
+            ".logs-endpoint.diagnostic.collection-*",
+            ".logs-endpoint.action.responses-*"
           ],
           "privileges": [
             "write",
diff --git a/x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java b/x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java
index 26f686032a209..69f2daf4f066f 100644
--- a/x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java
+++ b/x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java
@@ -90,7 +90,8 @@ public class ServiceAccountIT extends ESRestTestCase {
         + "            \"metrics-*\",\n"
         + "            \"traces-*\",\n"
         + "            \"synthetics-*\",\n"
-        + "            \".logs-endpoint.diagnostic.collection-*\"\n"
+        + "            \".logs-endpoint.diagnostic.collection-*\",\n"
+        + "            \".logs-endpoint.action.responses-*\"\n"
         + "          ],\n"
         + "          \"privileges\": [\n"
         + "            \"write\",\n"
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java
index 50b3d2fb82c59..712f131b0d12e 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java
@@ -29,7 +29,14 @@ final class ElasticServiceAccounts {
             new String[] { "monitor", "manage_own_api_key" },
             new RoleDescriptor.IndicesPrivileges[] {
                 RoleDescriptor.IndicesPrivileges.builder()
-                    .indices("logs-*", "metrics-*", "traces-*", "synthetics-*", ".logs-endpoint.diagnostic.collection-*")
+                    .indices(
+                        "logs-*",
+                        "metrics-*",
+                        "traces-*",
+                        "synthetics-*",
+                        ".logs-endpoint.diagnostic.collection-*",
+                        ".logs-endpoint.action.responses-*"
+                    )
                     .privileges("write", "create_index", "auto_configure")
                     .build(),
                 RoleDescriptor.IndicesPrivileges.builder()
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java
index 48e572cd27642..65e68f97fc95f 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java
@@ -158,7 +158,8 @@ public void testElasticFleetServerPrivileges() {
             "metrics-" + randomAlphaOfLengthBetween(1, 20),
             "traces-" + randomAlphaOfLengthBetween(1, 20),
             "synthetics-" + randomAlphaOfLengthBetween(1, 20),
-            ".logs-endpoint.diagnostic.collection-" + randomAlphaOfLengthBetween(1, 20)
+            ".logs-endpoint.diagnostic.collection-" + randomAlphaOfLengthBetween(1, 20),
+            ".logs-endpoint.action.responses-" + randomAlphaOfLengthBetween(1, 20)
         ).stream().map(this::mockIndexAbstraction).forEach(index -> {
             assertThat(role.indices().allowedIndicesMatcher(AutoPutMappingAction.NAME).test(index), is(true));
             assertThat(role.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(index), is(true));