Change reporting_user role to leverage reserved kibana privileges

legrego · legrego · commit bcb49a5843cc · 2025-08-12T14:47:22.000-04:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -328,18 +328,10 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                     null,
                     new RoleDescriptor.ApplicationResourcePrivileges[] {
                         RoleDescriptor.ApplicationResourcePrivileges.builder()
-                            .application("kibana-.kibana")
+                            .application("kibana-*")
                             .resources("*")
                             .privileges(
-                                "feature_discover.minimal_read",
-                                "feature_discover.generate_report",
-                                "feature_dashboard.minimal_read",
-                                "feature_dashboard.generate_report",
-                                "feature_dashboard.download_csv_report",
-                                "feature_canvas.minimal_read",
-                                "feature_canvas.generate_report",
-                                "feature_visualize.minimal_read",
-                                "feature_visualize.generate_report"
+                                "reserved_reporting_user"
                             )
                             .build() },
                     null,
@@ -353,7 +345,7 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                         + "including generating and downloading reports. "
                         + "This role implicitly grants access to all Kibana reporting features, "
                         + "with each user having access only to their own reports. Note that reporting users should also be assigned "
-                        + "additional roles that grant read access to the indices that will be used to generate reports."
+                        + "additional roles that grant read access to Kibana, and the indices that will be used to generate reports."
                 )
             ),
             entry(KibanaSystemUser.ROLE_NAME, kibanaSystemRoleDescriptor(KibanaSystemUser.ROLE_NAME)),
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -2773,15 +2773,7 @@ public void testReportingUserRole() {
         final String applicationName = "kibana-.kibana";
 
         final Set<String> applicationPrivilegeNames = Set.of(
-            "feature_discover.minimal_read",
-            "feature_discover.generate_report",
-            "feature_dashboard.minimal_read",
-            "feature_dashboard.generate_report",
-            "feature_dashboard.download_csv_report",
-            "feature_canvas.minimal_read",
-            "feature_canvas.generate_report",
-            "feature_visualize.minimal_read",
-            "feature_visualize.generate_report"
+            "reserved_reporting_user"
         );
 
         final Set<String> allowedApplicationActionPatterns = Set.of(
