[monitoring] update monitoring_user privileges (#94475)

* update monitoring_user privileges

* use regex

* lint

* remote indice privilege

* lint

* order

* lint

* test

* fix test

* add test case

Author: klacabane

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

@@ -140,6 +140,10 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                             .indices(".monitoring-*")
                             .privileges("read", "read_cross_cluster")
                             .build(),
+                        RoleDescriptor.IndicesPrivileges.builder()
+                            .indices("/metrics-(beats|elasticsearch|enterprisesearch|kibana|logstash).*/")
+                            .privileges("read", "read_cross_cluster")
+                            .build(),
                         RoleDescriptor.IndicesPrivileges.builder()
                             .indices("metricbeat-*")
                             .privileges("read", "read_cross_cluster")
@@ -157,6 +161,7 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                     TcpTransport.isUntrustedRemoteClusterEnabled()
                         ? new RoleDescriptor.RemoteIndicesPrivileges[] {
                             getRemoteIndicesReadPrivileges(".monitoring-*"),
+                            getRemoteIndicesReadPrivileges("/metrics-(beats|elasticsearch|enterprisesearch|kibana|logstash).*/"),
                             getRemoteIndicesReadPrivileges("metricbeat-*") }
                         : null
                 )

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

@@ -1435,6 +1435,18 @@ public void testMonitoringUserRole() {
                 ),
             is(false)
         );
+
+        final String metricsPrefix = "metrics-";
+        assertNoAccessAllowed(monitoringUserRole, metricsPrefix + "system.cpu-default");
+        assertNoAccessAllowed(monitoringUserRole, metricsPrefix + "elastic_agent.filebeat-default");
+
+        assertOnlyReadAllowed(monitoringUserRole, metricsPrefix + "elasticsearch");
+        assertOnlyReadAllowed(monitoringUserRole, metricsPrefix + "elasticsearch.stack_monitoring.cluster_stats-default");
+        assertOnlyReadAllowed(monitoringUserRole, metricsPrefix + "elasticsearch.ingest_pipeline-default");
+        assertOnlyReadAllowed(monitoringUserRole, metricsPrefix + "kibana.stack_monitoring.stats-default");
+        assertOnlyReadAllowed(monitoringUserRole, metricsPrefix + "logstash.stack_monitoring.node_stats-default");
+        assertOnlyReadAllowed(monitoringUserRole, metricsPrefix + "beats.stack_monitoring.stats-default");
+        assertOnlyReadAllowed(monitoringUserRole, metricsPrefix + "enterprisesearch.stack_monitoring.health-default");
     }
 
     public void testRemoteMonitoringAgentRole() {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RBACEngineTests.java

@@ -1879,6 +1879,10 @@ public void testGetRoleDescriptorsForRemoteClusterForReservedRoles() {
                             null,
                             new IndicesPrivileges[] {
                                 IndicesPrivileges.builder().indices(".monitoring-*").privileges("read", "read_cross_cluster").build(),
+                                IndicesPrivileges.builder()
+                                    .indices("/metrics-(beats|elasticsearch|enterprisesearch|kibana|logstash).*/")
+                                    .privileges("read", "read_cross_cluster")
+                                    .build(),
                                 IndicesPrivileges.builder().indices("metricbeat-*").privileges("read", "read_cross_cluster").build() },
                             null,
                             null,