Add permissions to kibana_system for TI package transforms to support IOC expiration (#94506)

* Add permissions to kibana_system for TI package transforms to support IOC expiration

* Update perm; add tests and changelog

* Apply checks

* update test

* Add perm for ILM policy on source

* Address PR comment

* Update test comments

* retrigger

* Update patterns and add comments

* Remove dot prefix

Author: kcreddy

docs/changelog/94506.yaml

@@ -0,0 +1,6 @@
+pr: 94506
+summary: Add permissions to kibana_system for TI package transforms to support IOC expiration
+area: Authorization
+type: enhancement
+issues:
+  - 94505

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

@@ -864,6 +864,32 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) {
                     )
                     .privileges("create_index", "delete_index", "read", "index", IndicesAliasesAction.NAME, UpdateSettingsAction.NAME)
                     .build(),
+                // For destination indices of the Threat Intel (ti_*) packages that ships a transform for supporting IOC expiration
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices("logs-ti_*_latest.*")
+                    .privileges(
+                        // Require "create_index", "delete_index", "read", "index", "delete", IndicesAliasesAction.NAME, and
+                        // UpdateSettingsAction.NAME for transform
+                        "create_index",
+                        "delete_index",
+                        "read",
+                        "index",
+                        "delete",
+                        IndicesAliasesAction.NAME,
+                        UpdateSettingsAction.NAME
+                    )
+                    .build(),
+                // For source indices of the Threat Intel (ti_*) packages that ships a transform for supporting IOC expiration
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices("logs-ti_*.*-*")
+                    .privileges(
+                        // Require "delete_index" to perform ILM policy actions
+                        DeleteIndexAction.NAME,
+                        // Require "read" and "view_index_metadata" for transform
+                        "read",
+                        "view_index_metadata"
+                    )
+                    .build(),
                 // For src/dest indices of the example transform package
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("kibana_sample_data_*")

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

@@ -1047,6 +1047,65 @@ public void testKibanaSystemRole() {
             assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(false));
         });
 
+        // Test allow permissions on Threat Intel (ti*) dest indices created by latest transform : "create_index", "delete_index", "read",
+        // "index", "delete", IndicesAliasesAction.NAME, UpdateSettingsAction.NAME
+        Arrays.asList("logs-ti_recordedfuture_latest.threat", "logs-ti_anomali_latest.threatstream").forEach(indexName -> {
+            final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);
+            // Allow search and indexing
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(BulkAction.NAME).test(indexAbstraction), is(true));
+            // Allow create and delete index, modifying aliases, and updating index settings
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAliasesAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(IndicesAliasesAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));
+
+            // Allow deleting documents
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(indexAbstraction), is(true));
+
+            // Implied by the overall view_index_metadata and monitor privilege
+            assertViewIndexMetadata(kibanaRole, indexName);
+            assertThat(
+                kibanaRole.indices().allowedIndicesMatcher("indices:monitor/" + randomAlphaOfLengthBetween(3, 8)).test(indexAbstraction),
+                is(true)
+            );
+        });
+
+        // Test allow permissions on Threat Intel (ti*) source indices required by latest transform : "read", "view_index_metadata",
+        // IndicesAliasesAction.NAME, PutMappingAction.NAME, UpdateSettingsAction.NAME, "delete_index"
+        Arrays.asList(
+            "logs-ti_recordedfuture.threat-default",
+            "logs-ti_anomali.threatstream-default",
+            "logs-ti_recordedfuture.threat-default" + randomAlphaOfLength(randomIntBetween(0, 13)),
+            "logs-ti_anomali.threatstream-default" + randomAlphaOfLength(randomIntBetween(0, 13))
+        ).forEach(indexName -> {
+            final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);
+            // Allow read-only
+            assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(indexAbstraction), is(false));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(indexAbstraction), is(false));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(indexAbstraction), is(false));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(indexAbstraction), is(false));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(PutMappingAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(GetAction.NAME).test(indexAbstraction), is(true));
+
+            // Implied by the overall view_index_metadata and monitor privilege
+            assertViewIndexMetadata(kibanaRole, indexName);
+            assertThat(
+                kibanaRole.indices().allowedIndicesMatcher("indices:monitor/" + randomAlphaOfLengthBetween(3, 8)).test(indexAbstraction),
+                is(true)
+            );
+        });
+
         Arrays.asList(
             ".logs-osquery_manager.actions-" + randomAlphaOfLength(randomIntBetween(0, 13)),
             ".logs-osquery_manager.action.responses-" + randomAlphaOfLength(randomIntBetween(0, 13))