Restrict Connector APIs to manage/monitor_connector privileges (#119863)

* Reapply "Restrict Connector APIs to manage/monitor_connector privileges (#119389)" (#119833)

This reverts commit e0cefb8.

* Update docs/changelog/119863.yaml

* Update docs/changelog/119863.yaml

* Update changelog

* Fix changelog

---------

Co-authored-by: Elastic Machine <[email protected]>

Author: jedrazb

docs/changelog/119863.yaml

@@ -0,0 +1,11 @@
+pr: 119863
+summary: Restrict Connector APIs to manage/monitor_connector privileges
+area: Extract&Transform
+type: breaking
+issues: []
+breaking:
+  title: Restrict Connector APIs to manage/monitor_connector privileges
+  area: REST API
+  details: Connector APIs now enforce the manage_connector and monitor_connector privileges (introduced in 8.15), replacing the previous reliance on index-level permissions for .elastic-connectors and .elastic-connectors-sync-jobs in API calls.
+  impact: Connector APIs now require manage_connector and monitor_connector privileges
+  notable: false

x-pack/plugin/ent-search/qa/rest/roles.yml

@@ -4,13 +4,12 @@ admin:
     - manage_behavioral_analytics
     - manage
     - monitor
+    - manage_connector
   indices:
     - names: [
         # indices and search applications
         "test-*",
         "another-test-search-application",
-        ".elastic-connectors-v1",
-        ".elastic-connectors-sync-jobs-v1"
     ]
       privileges: [ "manage", "write", "read" ]
 
@@ -20,16 +19,15 @@ user:
     - manage_api_key
     - read_connector_secrets
     - write_connector_secrets
+    - monitor_connector
   indices:
     - names: [
       "test-index1",
       "test-search-application",
       "test-search-application-1",
       "test-search-application-with-aggs",
       "test-search-application-with-list",
-      "test-search-application-with-list-invalid",
-      ".elastic-connectors-v1",
-      ".elastic-connectors-sync-jobs-v1"
+      "test-search-application-with-list-invalid"
     ]
       privileges: [ "read" ]
 

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/ConnectorIndexService.java

@@ -9,23 +9,19 @@
 
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
-import org.elasticsearch.action.IndicesRequest;
-import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.cluster.metadata.MetadataCreateIndexService;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.indices.InvalidIndexNameException;
-import org.elasticsearch.xpack.application.connector.ConnectorTemplateRegistry;
 
 import java.io.IOException;
 
 import static org.elasticsearch.action.ValidateActions.addValidationError;
 import static org.elasticsearch.xpack.application.connector.ConnectorTemplateRegistry.MANAGED_CONNECTOR_INDEX_PREFIX;
 
 /**
- * Abstract base class for action requests targeting the connectors index. Implements {@link org.elasticsearch.action.IndicesRequest}
- * to ensure index-level privilege support. This class defines the connectors index as the target for all derived action requests.
+ * Abstract base class for action requests targeting the connectors index.
  */
-public abstract class ConnectorActionRequest extends ActionRequest implements IndicesRequest {
+public abstract class ConnectorActionRequest extends ActionRequest {
 
     public ConnectorActionRequest() {
         super();
@@ -78,14 +74,4 @@ public ActionRequestValidationException validateManagedConnectorIndexPrefix(
         }
         return validationException;
     }
-
-    @Override
-    public String[] indices() {
-        return new String[] { ConnectorTemplateRegistry.CONNECTOR_INDEX_NAME_PATTERN };
-    }
-
-    @Override
-    public IndicesOptions indicesOptions() {
-        return IndicesOptions.lenientExpandHidden();
-    }
 }

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/ConnectorActionRequest.java

@@ -18,7 +18,6 @@
 import org.elasticsearch.xcontent.ToXContentObject;
 import org.elasticsearch.xcontent.XContentBuilder;
 import org.elasticsearch.xcontent.XContentParser;
-import org.elasticsearch.xpack.application.connector.ConnectorTemplateRegistry;
 
 import java.io.IOException;
 import java.util.Objects;
@@ -28,7 +27,7 @@
 
 public class DeleteConnectorAction {
 
-    public static final String NAME = "indices:data/write/xpack/connector/delete";
+    public static final String NAME = "cluster:admin/xpack/connector/delete";
     public static final ActionType<AcknowledgedResponse> INSTANCE = new ActionType<>(NAME);
 
     private DeleteConnectorAction() {/* no instances */}
@@ -71,14 +70,6 @@ public boolean shouldDeleteSyncJobs() {
             return deleteSyncJobs;
         }
 
-        @Override
-        public String[] indices() {
-            // When deleting a connector, corresponding sync jobs can also be deleted
-            return new String[] {
-                ConnectorTemplateRegistry.CONNECTOR_SYNC_JOBS_INDEX_NAME_PATTERN,
-                ConnectorTemplateRegistry.CONNECTOR_INDEX_NAME_PATTERN };
-        }
-
         @Override
         public void writeTo(StreamOutput out) throws IOException {
             super.writeTo(out);

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/DeleteConnectorAction.java

@@ -30,7 +30,7 @@
 
 public class GetConnectorAction {
 
-    public static final String NAME = "indices:data/read/xpack/connector/get";
+    public static final String NAME = "cluster:admin/xpack/connector/get";
     public static final ActionType<GetConnectorAction.Response> INSTANCE = new ActionType<>(NAME);
 
     private GetConnectorAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/GetConnectorAction.java

@@ -35,7 +35,7 @@
 
 public class ListConnectorAction {
 
-    public static final String NAME = "indices:data/read/xpack/connector/list";
+    public static final String NAME = "cluster:admin/xpack/connector/list";
     public static final ActionType<ListConnectorAction.Response> INSTANCE = new ActionType<>(NAME);
 
     private ListConnectorAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/ListConnectorAction.java

@@ -25,7 +25,7 @@
 
 public class PostConnectorAction {
 
-    public static final String NAME = "indices:data/write/xpack/connector/post";
+    public static final String NAME = "cluster:admin/xpack/connector/post";
     public static final ActionType<ConnectorCreateActionResponse> INSTANCE = new ActionType<>(NAME);
 
     private PostConnectorAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/PostConnectorAction.java

@@ -9,7 +9,6 @@
 
 import org.elasticsearch.action.ActionRequestValidationException;
 import org.elasticsearch.action.ActionType;
-import org.elasticsearch.action.IndicesRequest;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
@@ -27,12 +26,12 @@
 
 public class PutConnectorAction {
 
-    public static final String NAME = "indices:data/write/xpack/connector/put";
+    public static final String NAME = "cluster:admin/xpack/connector/put";
     public static final ActionType<ConnectorCreateActionResponse> INSTANCE = new ActionType<>(NAME);
 
     private PutConnectorAction() {/* no instances */}
 
-    public static class Request extends ConnectorActionRequest implements IndicesRequest, ToXContentObject {
+    public static class Request extends ConnectorActionRequest implements ToXContentObject {
 
         @Nullable
         private final String connectorId;

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/PutConnectorAction.java

@@ -22,7 +22,7 @@
 
 public class UpdateConnectorActiveFilteringAction {
 
-    public static final String NAME = "indices:data/write/xpack/connector/update_filtering/activate";
+    public static final String NAME = "cluster:admin/xpack/connector/update_filtering/activate";
     public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
     private UpdateConnectorActiveFilteringAction() {/* no instances */}