Change reporting_user role to leverage reserved kibana privileges (#132766)

legrego · elasticsearchmachine · web-flow · commit f62721057e4f · 2025-08-18T17:48:06.000+02:00
* Change reporting_user role to leverage reserved kibana privileges

* [CI] Auto commit changes from spotless

* Mark reporting_user role as deprecated

* Update docs/changelog/132766.yaml

* Update release notes

---------

Co-authored-by: elasticsearchmachine &lt;infra-root+elasticsearchmachine@elastic.co&gt;
diff --git a/docs/changelog/132766.yaml b/docs/changelog/132766.yaml
@@ -0,0 +1,10 @@
+pr: 132766
+summary: Change `reporting_user` role to leverage reserved kibana privileges
+area: Authorization
+type: deprecation
+issues: []
+deprecation:
+  title: Deprecate the built-in `reporting_user` role.
+  area: Authorization
+  details: The `reporting_user` role is deprecated. Administrators should manage access to Kibana's reporting features via custom roles which grant the necessary privileges.
+  impact: This role will be removed in a future version. Administrators should migrate to custom roles to avoid interruption.
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -328,23 +328,13 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                     null,
                     new RoleDescriptor.ApplicationResourcePrivileges[] {
                         RoleDescriptor.ApplicationResourcePrivileges.builder()
-                            .application("kibana-.kibana")
+                            .application("kibana-*")
                             .resources("*")
-                            .privileges(
-                                "feature_discover.minimal_read",
-                                "feature_discover.generate_report",
-                                "feature_dashboard.minimal_read",
-                                "feature_dashboard.generate_report",
-                                "feature_dashboard.download_csv_report",
-                                "feature_canvas.minimal_read",
-                                "feature_canvas.generate_report",
-                                "feature_visualize.minimal_read",
-                                "feature_visualize.generate_report"
-                            )
+                            .privileges("reserved_reporting_user")
                             .build() },
                     null,
                     null,
-                    MetadataUtils.DEFAULT_RESERVED_METADATA,
+                    MetadataUtils.getDeprecatedReservedMetadata("Please grant access via Kibana privileges instead."),
                     null,
                     null,
                     null,
@@ -353,7 +343,7 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                         + "including generating and downloading reports. "
                         + "This role implicitly grants access to all Kibana reporting features, "
                         + "with each user having access only to their own reports. Note that reporting users should also be assigned "
-                        + "additional roles that grant read access to the indices that will be used to generate reports."
+                        + "additional roles that grant read access to Kibana, and the indices that will be used to generate reports."
                 )
             ),
             entry(KibanaSystemUser.ROLE_NAME, kibanaSystemRoleDescriptor(KibanaSystemUser.ROLE_NAME)),
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -2769,20 +2769,11 @@ public void testReportingUserRole() {
         RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("reporting_user");
         assertNotNull(roleDescriptor);
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
+        assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true));
 
         final String applicationName = "kibana-.kibana";
 
-        final Set<String> applicationPrivilegeNames = Set.of(
-            "feature_discover.minimal_read",
-            "feature_discover.generate_report",
-            "feature_dashboard.minimal_read",
-            "feature_dashboard.generate_report",
-            "feature_dashboard.download_csv_report",
-            "feature_canvas.minimal_read",
-            "feature_canvas.generate_report",
-            "feature_visualize.minimal_read",
-            "feature_visualize.generate_report"
-        );
+        final Set<String> applicationPrivilegeNames = Set.of("reserved_reporting_user");
 
         final Set<String> allowedApplicationActionPatterns = Set.of(
             "login:",
