Revert elevated permissions

orestisfl · orestisfl · commit cc2a94802a84 · 2024-12-23T13:46:20.000+01:00
diff --git a/modules/dot-prefix-validation/src/main/java/org/elasticsearch/validation/DotPrefixValidator.java b/modules/dot-prefix-validation/src/main/java/org/elasticsearch/validation/DotPrefixValidator.java
@@ -57,7 +57,6 @@ public abstract class DotPrefixValidator<RequestType> implements MappedActionFil
      * to use an internal origin for the client. These are shorter-term
      * workarounds until that work can be completed.
      *
-     * .agentless-* is used by stateful agentless integrations
      * .elastic-connectors-* is used by enterprise search
      * .ml-* is used by ML
      * .slo-observability-* is used by Observability
@@ -71,7 +70,6 @@ public abstract class DotPrefixValidator<RequestType> implements MappedActionFil
     public static Setting<List<String>> IGNORED_INDEX_PATTERNS_SETTING = Setting.stringListSetting(
         "cluster.indices.validate_ignored_dot_patterns",
         List.of(
-            "\\.agentless-.+",
             "\\.ml-state-\\d+",
             "\\.slo-observability\\.sli-v\\d+.*",
             "\\.slo-observability\\.summary-v\\d+.*",
diff --git a/modules/dot-prefix-validation/src/test/java/org/elasticsearch/validation/DotPrefixValidatorTests.java b/modules/dot-prefix-validation/src/test/java/org/elasticsearch/validation/DotPrefixValidatorTests.java
@@ -67,7 +67,6 @@ public void testValidation() {
 
         // Test ignored patterns
         nonOpV.validateIndices(Set.of(".ml-state-21309"));
-        nonOpV.validateIndices(Set.of(".agentless-state-httpjson-okta.system-384301a9-f0e7-4f76-9656-f5a9330932e7"));
         nonOpV.validateIndices(Set.of(">.ml-state-21309>"));
         nonOpV.validateIndices(Set.of(".slo-observability.sli-v2"));
         nonOpV.validateIndices(Set.of(".slo-observability.sli-v2.3"));
diff --git a/x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java b/x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java
@@ -319,7 +319,7 @@ public class ServiceAccountIT extends ESRestTestCase {
                 },
                 {
                   "names": [
-                    ".agentless-*"
+                    "agentless-*"
                   ],
                   "privileges": [
                     "read",
@@ -330,7 +330,7 @@ public class ServiceAccountIT extends ESRestTestCase {
                     "maintenance",
                     "view_index_metadata"
                   ],
-                  "allow_restricted_indices": true
+                  "allow_restricted_indices": false
                 }
               ],
               "applications": [        {
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java
@@ -169,9 +169,9 @@ final class ElasticServiceAccounts {
                     .build(),
                 // Custom permissions required for stateful agentless integrations
                 RoleDescriptor.IndicesPrivileges.builder()
-                    .indices(".agentless-*")
+                    .indices("agentless-*")
                     .privileges("read", "write", "monitor", "create_index", "auto_configure", "maintenance", "view_index_metadata")
-                    .allowRestrictedIndices(true)
+                    .allowRestrictedIndices(false)
                     .build(), },
             new RoleDescriptor.ApplicationResourcePrivileges[] {
                 RoleDescriptor.ApplicationResourcePrivileges.builder()
