Merge branch '9.1' into backport/9.1/pr-132762

benchaplin · web-flow · commit 597b39655d64 · 2025-08-18T14:55:58.000-04:00
diff --git a/docs/changelog/132766.yaml b/docs/changelog/132766.yaml
@@ -0,0 +1,10 @@
+pr: 132766
+summary: Change `reporting_user` role to leverage reserved kibana privileges
+area: Authorization
+type: deprecation
+issues: []
+deprecation:
+  title: Deprecate the built-in `reporting_user` role.
+  area: Authorization
+  details: The `reporting_user` role is deprecated. Administrators should manage access to Kibana's reporting features via custom roles which grant the necessary privileges.
+  impact: This role will be removed in a future version. Administrators should migrate to custom roles to avoid interruption.
diff --git a/server/src/main/java/org/elasticsearch/TransportVersions.java b/server/src/main/java/org/elasticsearch/TransportVersions.java
@@ -132,7 +132,6 @@ static TransportVersion def(int id) {
     public static final TransportVersion ESQL_SKIP_ES_INDEX_SERIALIZATION = def(8_827_0_00);
     public static final TransportVersion ADD_INDEX_BLOCK_TWO_PHASE = def(8_828_0_00);
     public static final TransportVersion RESOLVE_CLUSTER_NO_INDEX_EXPRESSION = def(8_829_0_00);
-    public static final TransportVersion ML_ROLLOVER_LEGACY_INDICES = def(8_830_0_00);
     public static final TransportVersion ADD_INCLUDE_FAILURE_INDICES_OPTION = def(8_831_0_00);
     public static final TransportVersion ESQL_RESPONSE_PARTIAL = def(8_832_0_00);
     public static final TransportVersion RANK_DOC_OPTIONAL_METADATA_FOR_EXPLAIN = def(8_833_0_00);
diff --git a/server/src/main/resources/transport/definitions/named/ml_rollover_legacy_indices.csv b/server/src/main/resources/transport/definitions/named/ml_rollover_legacy_indices.csv
@@ -0,0 +1 @@
+8830000
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -324,23 +324,13 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                     null,
                     new RoleDescriptor.ApplicationResourcePrivileges[] {
                         RoleDescriptor.ApplicationResourcePrivileges.builder()
-                            .application("kibana-.kibana")
+                            .application("kibana-*")
                             .resources("*")
-                            .privileges(
-                                "feature_discover.minimal_read",
-                                "feature_discover.generate_report",
-                                "feature_dashboard.minimal_read",
-                                "feature_dashboard.generate_report",
-                                "feature_dashboard.download_csv_report",
-                                "feature_canvas.minimal_read",
-                                "feature_canvas.generate_report",
-                                "feature_visualize.minimal_read",
-                                "feature_visualize.generate_report"
-                            )
+                            .privileges("reserved_reporting_user")
                             .build() },
                     null,
                     null,
-                    MetadataUtils.DEFAULT_RESERVED_METADATA,
+                    MetadataUtils.getDeprecatedReservedMetadata("Please grant access via Kibana privileges instead."),
                     null,
                     null,
                     null,
@@ -349,7 +339,7 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                         + "including generating and downloading reports. "
                         + "This role implicitly grants access to all Kibana reporting features, "
                         + "with each user having access only to their own reports. Note that reporting users should also be assigned "
-                        + "additional roles that grant read access to the indices that will be used to generate reports."
+                        + "additional roles that grant read access to Kibana, and the indices that will be used to generate reports."
                 )
             ),
             entry(KibanaSystemUser.ROLE_NAME, kibanaSystemRoleDescriptor(KibanaSystemUser.ROLE_NAME)),
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -2762,20 +2762,11 @@ public void testReportingUserRole() {
         RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("reporting_user");
         assertNotNull(roleDescriptor);
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
+        assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true));
 
         final String applicationName = "kibana-.kibana";
 
-        final Set<String> applicationPrivilegeNames = Set.of(
-            "feature_discover.minimal_read",
-            "feature_discover.generate_report",
-            "feature_dashboard.minimal_read",
-            "feature_dashboard.generate_report",
-            "feature_dashboard.download_csv_report",
-            "feature_canvas.minimal_read",
-            "feature_canvas.generate_report",
-            "feature_visualize.minimal_read",
-            "feature_visualize.generate_report"
-        );
+        final Set<String> applicationPrivilegeNames = Set.of("reserved_reporting_user");
 
         final Set<String> allowedApplicationActionPatterns = Set.of(
             "login:",
diff --git a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/MlAnomaliesIndexUpdate.java b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/MlAnomaliesIndexUpdate.java
@@ -11,7 +11,6 @@
 import org.elasticsearch.ElasticsearchStatusException;
 import org.elasticsearch.ResourceAlreadyExistsException;
 import org.elasticsearch.TransportVersion;
-import org.elasticsearch.TransportVersions;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
 import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequestBuilder;
@@ -53,6 +52,8 @@ public class MlAnomaliesIndexUpdate implements MlAutoUpdateService.UpdateAction
 
     private static final Logger logger = LogManager.getLogger(MlAnomaliesIndexUpdate.class);
 
+    private static final TransportVersion ML_ROLLOVER_LEGACY_INDICES = TransportVersion.fromName("ml_rollover_legacy_indices");
+
     private final IndexNameExpressionResolver expressionResolver;
     private final OriginSettingClient client;
 
@@ -65,7 +66,7 @@ public MlAnomaliesIndexUpdate(IndexNameExpressionResolver expressionResolver, Cl
     public boolean isMinTransportVersionSupported(TransportVersion minTransportVersion) {
         // Automatic rollover does not require any new features
         // but wait for all nodes to be upgraded anyway
-        return minTransportVersion.onOrAfter(TransportVersions.ML_ROLLOVER_LEGACY_INDICES);
+        return minTransportVersion.supports(ML_ROLLOVER_LEGACY_INDICES);
     }
 
     @Override
diff --git a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/MlIndexRollover.java b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/MlIndexRollover.java
@@ -10,7 +10,6 @@
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ElasticsearchStatusException;
 import org.elasticsearch.TransportVersion;
-import org.elasticsearch.TransportVersions;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.admin.indices.rollover.RolloverRequest;
 import org.elasticsearch.action.support.IndicesOptions;
@@ -44,6 +43,8 @@ public class MlIndexRollover implements MlAutoUpdateService.UpdateAction {
 
     private static final Logger logger = LogManager.getLogger(MlIndexRollover.class);
 
+    private static final TransportVersion ML_ROLLOVER_LEGACY_INDICES = TransportVersion.fromName("ml_rollover_legacy_indices");
+
     public record IndexPatternAndAlias(String indexPattern, String alias) {}
 
     private final IndexNameExpressionResolver expressionResolver;
@@ -60,7 +61,7 @@ public MlIndexRollover(List<IndexPatternAndAlias> indicesToRollover, IndexNameEx
     public boolean isMinTransportVersionSupported(TransportVersion minTransportVersion) {
         // Wait for all nodes to be upgraded to ensure that the
         // newly created index will be of the latest version.
-        return minTransportVersion.onOrAfter(TransportVersions.ML_ROLLOVER_LEGACY_INDICES);
+        return minTransportVersion.supports(ML_ROLLOVER_LEGACY_INDICES);
     }
 
     @Override
