[Cloud Security Posture] fix ilm deletion step error permissions (#128634)

Omolola-Akinleye · elasticsearchmachine · web-flow · commit ded666ec664d · 2025-06-24T02:56:13.000+10:00
* fix ilm deletion step policy

* [CI] Auto commit changes from spotless

---------

Co-authored-by: elasticsearchmachine &lt;infra-root+elasticsearchmachine@elastic.co&gt;
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
@@ -473,6 +473,9 @@ static RoleDescriptor kibanaSystem(String name) {
                         "read",
                         "index",
                         "delete",
+
+                        // Require "delete_index" to perform ILM policy actions
+                        TransportDeleteIndexAction.TYPE.name(),
                         "manage",
                         TransportIndicesAliasesAction.NAME,
                         TransportUpdateSettingsAction.TYPE.name()
@@ -487,6 +490,8 @@ static RoleDescriptor kibanaSystem(String name) {
                         "read",
                         "index",
                         "delete",
+                        // Require "delete_index" to perform ILM policy actions
+                        TransportDeleteIndexAction.TYPE.name(),
                         TransportIndicesAliasesAction.NAME,
                         TransportUpdateSettingsAction.TYPE.name(),
                         TransportAutoPutMappingAction.TYPE.name()
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -1740,6 +1740,7 @@ public void testKibanaSystemRole() {
                 kibanaRole.indices().allowedIndicesMatcher(TransportUpdateSettingsAction.TYPE.name()).test(indexAbstraction),
                 is(true)
             );
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportDeleteIndexAction.TYPE.name()).test(indexAbstraction), is(true));
 
             // Implied by the overall view_index_metadata and monitor privilege
             assertViewIndexMetadata(kibanaRole, indexName);
