Deprecating data_frame_transforms roles (#117519)

* Deprecating data_frame_transforms roles

* Update docs/changelog/117519.yaml

* Update changelog

* Removing deprecation warning

* Cleaning up unused role retrieval function

* Update docs/changelog/117519.yaml

* Update changelog with breaking change details

* Revert ClusterPrivilegeResolver

* Remove Deprecated Transform Role permissions

* Update docs/changelog/117519.yaml

Co-authored-by: Nikolaj Volgushev <[email protected]>

* Revert "Remove Deprecated Transform Role permissions"

This reverts commit 4599256.

* Revert docs, update changelog

* Revert privilege tests

---------

Co-authored-by: Elastic Machine <[email protected]>
Co-authored-by: Nikolaj Volgushev <[email protected]>
Co-authored-by: Pat Whelan <[email protected]>

Author: 4 people

docs/changelog/117519.yaml

@@ -0,0 +1,20 @@
+pr: 117519
+summary: Remove `data_frame_transforms` roles
+area: Transform
+type: breaking
+issues: []
+breaking:
+  title: Remove `data_frame_transforms` roles
+  area: Transform
+  details: >-
+    `data_frame_transforms_admin` and `data_frame_transforms_user` were deprecated in
+    Elasticsearch 7 and are being removed in Elasticsearch 9.
+    `data_frame_transforms_admin` is now `transform_admin`.
+    `data_frame_transforms_user` is now `transform_user`.
+    Users must call the `_update` API to replace the permissions on the Transform before the
+    Transform can be started.
+  impact: >-
+    Transforms created with either the `data_frame_transforms_admin` or the
+    `data_frame_transforms_user` role will fail to start. The Transform will remain
+    in a `stopped` state, and its health will be red while displaying permission failures.
+  notable: false

docs/reference/security/authorization/built-in-roles.asciidoc

@@ -33,18 +33,6 @@ suitable for writing beats output to {es}.
 
 --
 
-[[built-in-roles-data-frame-transforms-admin]] `data_frame_transforms_admin` ::
-Grants `manage_data_frame_transforms` cluster privileges, which enable you to
-manage {transforms}. This role also includes all
-{kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}.
-deprecated:[7.5.0,"Replaced by <<built-in-roles-transform-admin,`transform_admin`>>"].
-
-[[built-in-roles-data-frame-transforms-user]] `data_frame_transforms_user` ::
-Grants `monitor_data_frame_transforms` cluster privileges, which enable you to
-use {transforms}. This role also includes all
-{kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}.
-deprecated:[7.5.0,"Replaced by <<built-in-roles-transform-user,`transform_user`>>"].
-
 [[built-in-roles-editor]] `editor` ::
 
 Grants full access to all features in {kib} (including Solutions) and read-only access to data indices.

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

@@ -539,70 +539,6 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                         + "and roles that grant access to Kibana."
                 )
             ),
-            // DEPRECATED: to be removed in 9.0.0
-            entry(
-                "data_frame_transforms_admin",
-                new RoleDescriptor(
-                    "data_frame_transforms_admin",
-                    new String[] { "manage_data_frame_transforms" },
-                    new RoleDescriptor.IndicesPrivileges[] {
-                        RoleDescriptor.IndicesPrivileges.builder()
-                            .indices(
-                                TransformInternalIndexConstants.AUDIT_INDEX_PATTERN,
-                                TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED,
-                                TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS
-                            )
-                            .privileges("view_index_metadata", "read")
-                            .build() },
-                    new RoleDescriptor.ApplicationResourcePrivileges[] {
-                        RoleDescriptor.ApplicationResourcePrivileges.builder()
-                            .application("kibana-*")
-                            .resources("*")
-                            .privileges("reserved_ml_user")
-                            .build() },
-                    null,
-                    null,
-                    MetadataUtils.getDeprecatedReservedMetadata("Please use the [transform_admin] role instead"),
-                    null,
-                    null,
-                    null,
-                    null,
-                    "Grants manage_data_frame_transforms cluster privileges, which enable you to manage transforms. "
-                        + "This role also includes all Kibana privileges for the machine learning features."
-                )
-            ),
-            // DEPRECATED: to be removed in 9.0.0
-            entry(
-                "data_frame_transforms_user",
-                new RoleDescriptor(
-                    "data_frame_transforms_user",
-                    new String[] { "monitor_data_frame_transforms" },
-                    new RoleDescriptor.IndicesPrivileges[] {
-                        RoleDescriptor.IndicesPrivileges.builder()
-                            .indices(
-                                TransformInternalIndexConstants.AUDIT_INDEX_PATTERN,
-                                TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED,
-                                TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS
-                            )
-                            .privileges("view_index_metadata", "read")
-                            .build() },
-                    new RoleDescriptor.ApplicationResourcePrivileges[] {
-                        RoleDescriptor.ApplicationResourcePrivileges.builder()
-                            .application("kibana-*")
-                            .resources("*")
-                            .privileges("reserved_ml_user")
-                            .build() },
-                    null,
-                    null,
-                    MetadataUtils.getDeprecatedReservedMetadata("Please use the [transform_user] role instead"),
-                    null,
-                    null,
-                    null,
-                    null,
-                    "Grants monitor_data_frame_transforms cluster privileges, which enable you to use transforms. "
-                        + "This role also includes all Kibana privileges for the machine learning features. "
-                )
-            ),
             entry(
                 "transform_admin",
                 new RoleDescriptor(

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/TransformDeprecations.java

@@ -27,12 +27,5 @@ public class TransformDeprecations {
 
     public static final String MAX_PAGE_SEARCH_SIZE_BREAKING_CHANGES_URL = "https://ela.st/es-deprecation-7-transform-max-page-search-size";
 
-    public static final String DATA_FRAME_TRANSFORMS_ROLES_BREAKING_CHANGES_URL =
-        "https://ela.st/es-deprecation-9-data-frame-transforms-roles";
-
-    public static final String DATA_FRAME_TRANSFORMS_ROLES_IS_DEPRECATED = "This transform configuration uses one or more obsolete roles "
-        + "prefixed with [data_frame_transformers_] which will be unsupported after the next upgrade. Switch to a user with the equivalent "
-        + "roles prefixed with [transform_] and use [/_transform/_upgrade] to upgrade all transforms to the latest roles.";;
-
     private TransformDeprecations() {}
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/transform/transforms/TransformConfig.java

@@ -24,13 +24,11 @@
 import org.elasticsearch.xcontent.ToXContentObject;
 import org.elasticsearch.xcontent.XContentBuilder;
 import org.elasticsearch.xcontent.XContentParser;
-import org.elasticsearch.xpack.core.ClientHelper;
 import org.elasticsearch.xpack.core.common.time.TimeUtils;
 import org.elasticsearch.xpack.core.common.validation.SourceDestValidator;
 import org.elasticsearch.xpack.core.common.validation.SourceDestValidator.SourceDestValidation;
 import org.elasticsearch.xpack.core.deprecation.DeprecationIssue;
 import org.elasticsearch.xpack.core.deprecation.DeprecationIssue.Level;
-import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer;
 import org.elasticsearch.xpack.core.security.xcontent.XContentUtils;
 import org.elasticsearch.xpack.core.transform.TransformConfigVersion;
 import org.elasticsearch.xpack.core.transform.TransformDeprecations;
@@ -43,7 +41,6 @@
 import java.io.IOException;
 import java.time.Instant;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
@@ -52,7 +49,6 @@
 
 import static org.elasticsearch.xcontent.ConstructingObjectParser.constructorArg;
 import static org.elasticsearch.xcontent.ConstructingObjectParser.optionalConstructorArg;
-import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.AUTHENTICATION_KEY;
 
 /**
  * This class holds the configuration details of a data frame transform
@@ -69,10 +65,6 @@ public final class TransformConfig implements SimpleDiffable<TransformConfig>, W
     public static final ParseField HEADERS = new ParseField("headers");
     /** Version in which {@code FieldCapabilitiesRequest.runtime_fields} field was introduced. */
     private static final TransportVersion FIELD_CAPS_RUNTIME_MAPPINGS_INTRODUCED_TRANSPORT_VERSION = TransportVersions.V_7_12_0;
-    private static final List<String> DEPRECATED_DATA_FRAME_TRANSFORMS_ROLES = List.of(
-        "data_frame_transforms_admin",
-        "data_frame_transforms_user"
-    );
 
     /** Specifies all the possible transform functions. */
     public enum Function {
@@ -413,37 +405,9 @@ public List<DeprecationIssue> checkForDeprecations(NamedXContentRegistry namedXC
             retentionPolicyConfig.checkForDeprecations(getId(), namedXContentRegistry, deprecations::add);
         }
 
-        var deprecatedTransformRoles = getRolesFromHeaders().stream().filter(DEPRECATED_DATA_FRAME_TRANSFORMS_ROLES::contains).toList();
-        if (deprecatedTransformRoles.isEmpty() == false) {
-            deprecations.add(
-                new DeprecationIssue(
-                    Level.CRITICAL,
-                    "Transform [" + id + "] uses deprecated transform roles " + deprecatedTransformRoles,
-                    TransformDeprecations.DATA_FRAME_TRANSFORMS_ROLES_BREAKING_CHANGES_URL,
-                    TransformDeprecations.DATA_FRAME_TRANSFORMS_ROLES_IS_DEPRECATED,
-                    false,
-                    null
-                )
-            );
-        }
-
         return deprecations;
     }
 
-    private List<String> getRolesFromHeaders() throws IOException {
-        if (headers == null) {
-            return Collections.emptyList();
-        }
-
-        var encodedAuthenticationHeader = ClientHelper.filterSecurityHeaders(headers).getOrDefault(AUTHENTICATION_KEY, "");
-        if (encodedAuthenticationHeader.isEmpty()) {
-            return Collections.emptyList();
-        }
-
-        var decodedAuthenticationHeader = AuthenticationContextSerializer.decode(encodedAuthenticationHeader);
-        return Arrays.asList(decodedAuthenticationHeader.getEffectiveSubject().getUser().roles());
-    }
-
     @Override
     public void writeTo(final StreamOutput out) throws IOException {
         out.writeString(id);