Deprecating data_frame_transforms roles

docs/changelog/117519.yaml

@@ -0,0 +1,14 @@
+pr: 117519
+summary: Deprecating `data_frame_transforms` roles
+area: Machine Learning
+type: deprecation
+issues: []
+deprecation:
+  title: Deprecating `data_frame_transforms` roles
+  area: Transform
+  details: >-
+    This change removes the `data_frame_transforms_admin`/`data_frame_transforms_user` roles.
+    These roles have been replaced by the equivalent `transform_admin`/`transform_user` roles.
+  impact: >-
+    Usage of the `data_frame_transforms_admin`/`data_frame_transforms_user` roles will no
+    longer succeed. Users should instead use the equivalent `transform_admin`/`transform_user` roles.

docs/reference/rest-api/security/bulk-create-roles.asciidoc

@@ -328,7 +328,7 @@ The result would then have the `errors` field set to `true` and hold the error f
         "details": {
             "my_admin_role": { <4>
                 "type": "action_request_validation_exception",
-                "reason": "Validation Failed: 1: unknown cluster privilege [bad_cluster_privilege]. a privilege must be either one of the predefined cluster privilege names [manage_own_api_key,manage_data_stream_global_retention,monitor_data_stream_global_retention,none,cancel_task,cross_cluster_replication,cross_cluster_search,delegate_pki,grant_api_key,manage_autoscaling,manage_index_templates,manage_logstash_pipelines,manage_oidc,manage_saml,manage_search_application,manage_search_query_rules,manage_search_synonyms,manage_service_account,manage_token,manage_user_profile,monitor_connector,monitor_enrich,monitor_inference,monitor_ml,monitor_rollup,monitor_snapshot,monitor_stats,monitor_text_structure,monitor_watcher,post_behavioral_analytics_event,read_ccr,read_connector_secrets,read_fleet_secrets,read_ilm,read_pipeline,read_security,read_slm,transport_client,write_connector_secrets,write_fleet_secrets,create_snapshot,manage_behavioral_analytics,manage_ccr,manage_connector,manage_enrich,manage_ilm,manage_inference,manage_ml,manage_rollup,manage_slm,manage_watcher,monitor_data_frame_transforms,monitor_transform,manage_api_key,manage_ingest_pipelines,manage_pipeline,manage_data_frame_transforms,manage_transform,manage_security,monitor,manage,all] or a pattern over one of the available cluster actions;"
+                "reason": "Validation Failed: 1: unknown cluster privilege [bad_cluster_privilege]. a privilege must be either one of the predefined cluster privilege names [manage_own_api_key,manage_data_stream_global_retention,monitor_data_stream_global_retention,none,cancel_task,cross_cluster_replication,cross_cluster_search,delegate_pki,grant_api_key,manage_autoscaling,manage_index_templates,manage_logstash_pipelines,manage_oidc,manage_saml,manage_search_application,manage_search_query_rules,manage_search_synonyms,manage_service_account,manage_token,manage_user_profile,monitor_connector,monitor_enrich,monitor_inference,monitor_ml,monitor_rollup,monitor_snapshot,monitor_stats,monitor_text_structure,monitor_watcher,post_behavioral_analytics_event,read_ccr,read_connector_secrets,read_fleet_secrets,read_ilm,read_pipeline,read_security,read_slm,transport_client,write_connector_secrets,write_fleet_secrets,create_snapshot,manage_behavioral_analytics,manage_ccr,manage_connector,manage_enrich,manage_ilm,manage_inference,manage_ml,manage_rollup,manage_slm,manage_watcher,monitor_transform,manage_api_key,manage_ingest_pipelines,manage_pipeline,manage_transform,manage_security,monitor,manage,all] or a pattern over one of the available cluster actions;"
             }
         }
     }

docs/reference/rest-api/security/get-builtin-privileges.asciidoc

@@ -78,7 +78,6 @@ A successful call returns an object with "cluster", "index", and "remote_cluster
     "manage_behavioral_analytics",
     "manage_ccr",
     "manage_connector",
-    "manage_data_frame_transforms",
     "manage_data_stream_global_retention",
     "manage_enrich",
     "manage_ilm",
@@ -104,7 +103,6 @@ A successful call returns an object with "cluster", "index", and "remote_cluster
     "manage_watcher",
     "monitor",
     "monitor_connector",
-    "monitor_data_frame_transforms",
     "monitor_data_stream_global_retention",
     "monitor_enrich",
     "monitor_inference",

docs/reference/security/authorization/built-in-roles.asciidoc

@@ -33,18 +33,6 @@ suitable for writing beats output to {es}.
 
 --
 
-[[built-in-roles-data-frame-transforms-admin]] `data_frame_transforms_admin` ::
-Grants `manage_data_frame_transforms` cluster privileges, which enable you to
-manage {transforms}. This role also includes all
-{kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}.
-deprecated:[7.5.0,"Replaced by <<built-in-roles-transform-admin,`transform_admin`>>"].
-
-[[built-in-roles-data-frame-transforms-user]] `data_frame_transforms_user` ::
-Grants `monitor_data_frame_transforms` cluster privileges, which enable you to
-use {transforms}. This role also includes all
-{kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}.
-deprecated:[7.5.0,"Replaced by <<built-in-roles-transform-user,`transform_user`>>"].
-
 [[built-in-roles-editor]] `editor` ::
 
 Grants full access to all features in {kib} (including Solutions) and read-only access to data indices.

docs/reference/security/authorization/privileges.asciidoc

@@ -95,12 +95,6 @@ only on clusters that contain follower indices.
 +
 This privilege is not available in {serverless-full}.
 
-`manage_data_frame_transforms`::
-All operations related to managing {transforms}.
-deprecated[7.5] Use `manage_transform` instead.
-+
-This privilege is not available in {serverless-full}.
-
 `manage_data_stream_global_retention`::
 This privilege has no effect.deprecated[8.16]
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java

@@ -234,10 +234,6 @@ public class ClusterPrivilegeResolver {
         MONITOR_INFERENCE_PATTERN
     );
     public static final NamedClusterPrivilege MONITOR_ML = new ActionClusterPrivilege("monitor_ml", MONITOR_ML_PATTERN);
-    public static final NamedClusterPrivilege MONITOR_TRANSFORM_DEPRECATED = new ActionClusterPrivilege(
-        "monitor_data_frame_transforms",
-        MONITOR_TRANSFORM_PATTERN
-    );
     public static final NamedClusterPrivilege MONITOR_TEXT_STRUCTURE = new ActionClusterPrivilege(
         "monitor_text_structure",
         MONITOR_TEXT_STRUCTURE_PATTERN
@@ -253,10 +249,6 @@ public class ClusterPrivilegeResolver {
     public static final NamedClusterPrivilege MANAGE = new ActionClusterPrivilege("manage", ALL_CLUSTER_PATTERN, ALL_SECURITY_PATTERN);
     public static final NamedClusterPrivilege MANAGE_INFERENCE = new ActionClusterPrivilege("manage_inference", MANAGE_INFERENCE_PATTERN);
     public static final NamedClusterPrivilege MANAGE_ML = new ActionClusterPrivilege("manage_ml", MANAGE_ML_PATTERN);
-    public static final NamedClusterPrivilege MANAGE_TRANSFORM_DEPRECATED = new ActionClusterPrivilege(
-        "manage_data_frame_transforms",
-        MANAGE_TRANSFORM_PATTERN
-    );
     public static final NamedClusterPrivilege MANAGE_TRANSFORM = new ActionClusterPrivilege("manage_transform", MANAGE_TRANSFORM_PATTERN);
     public static final NamedClusterPrivilege MANAGE_TOKEN = new ActionClusterPrivilege("manage_token", MANAGE_TOKEN_PATTERN);
     public static final NamedClusterPrivilege MANAGE_WATCHER = new ActionClusterPrivilege("manage_watcher", MANAGE_WATCHER_PATTERN);
@@ -426,7 +418,6 @@ public class ClusterPrivilegeResolver {
             MONITOR_INFERENCE,
             MONITOR_ML,
             MONITOR_TEXT_STRUCTURE,
-            MONITOR_TRANSFORM_DEPRECATED,
             MONITOR_TRANSFORM,
             MONITOR_WATCHER,
             MONITOR_ROLLUP,
@@ -436,7 +427,6 @@ public class ClusterPrivilegeResolver {
             MANAGE_CONNECTOR,
             MANAGE_INFERENCE,
             MANAGE_ML,
-            MANAGE_TRANSFORM_DEPRECATED,
             MANAGE_TRANSFORM,
             MANAGE_TOKEN,
             MANAGE_WATCHER,

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

@@ -519,70 +519,6 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                         + "and roles that grant access to Kibana."
                 )
             ),
-            // DEPRECATED: to be removed in 9.0.0
-            entry(
-                "data_frame_transforms_admin",
-                new RoleDescriptor(
-                    "data_frame_transforms_admin",
-                    new String[] { "manage_data_frame_transforms" },
-                    new RoleDescriptor.IndicesPrivileges[] {
-                        RoleDescriptor.IndicesPrivileges.builder()
-                            .indices(
-                                TransformInternalIndexConstants.AUDIT_INDEX_PATTERN,
-                                TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED,
-                                TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS
-                            )
-                            .privileges("view_index_metadata", "read")
-                            .build() },
-                    new RoleDescriptor.ApplicationResourcePrivileges[] {
-                        RoleDescriptor.ApplicationResourcePrivileges.builder()
-                            .application("kibana-*")
-                            .resources("*")
-                            .privileges("reserved_ml_user")
-                            .build() },
-                    null,
-                    null,
-                    MetadataUtils.getDeprecatedReservedMetadata("Please use the [transform_admin] role instead"),
-                    null,
-                    null,
-                    null,
-                    null,
-                    "Grants manage_data_frame_transforms cluster privileges, which enable you to manage transforms. "
-                        + "This role also includes all Kibana privileges for the machine learning features."
-                )
-            ),
-            // DEPRECATED: to be removed in 9.0.0
-            entry(
-                "data_frame_transforms_user",
-                new RoleDescriptor(
-                    "data_frame_transforms_user",
-                    new String[] { "monitor_data_frame_transforms" },
-                    new RoleDescriptor.IndicesPrivileges[] {
-                        RoleDescriptor.IndicesPrivileges.builder()
-                            .indices(
-                                TransformInternalIndexConstants.AUDIT_INDEX_PATTERN,
-                                TransformInternalIndexConstants.AUDIT_INDEX_PATTERN_DEPRECATED,
-                                TransformInternalIndexConstants.AUDIT_INDEX_READ_ALIAS
-                            )
-                            .privileges("view_index_metadata", "read")
-                            .build() },
-                    new RoleDescriptor.ApplicationResourcePrivileges[] {
-                        RoleDescriptor.ApplicationResourcePrivileges.builder()
-                            .application("kibana-*")
-                            .resources("*")
-                            .privileges("reserved_ml_user")
-                            .build() },
-                    null,
-                    null,
-                    MetadataUtils.getDeprecatedReservedMetadata("Please use the [transform_user] role instead"),
-                    null,
-                    null,
-                    null,
-                    null,
-                    "Grants monitor_data_frame_transforms cluster privileges, which enable you to use transforms. "
-                        + "This role also includes all Kibana privileges for the machine learning features. "
-                )
-            ),
             entry(
                 "transform_admin",
                 new RoleDescriptor(