From 4d13580aea8df7f2d39e6af0eaf7e6fb58fc5fe3 Mon Sep 17 00:00:00 2001
From: David Kyle <david.kyle@elastic.co>
Date: Fri, 7 Feb 2025 15:08:15 +0000
Subject: [PATCH] [ML] Give the kibana user read/write access to reindexed
 hidden ml indices (#121897)

Indices are reindexed on upgrade. Adds an index pattern to the role
descriptor matching the upgraded indices
---
 .../authz/store/KibanaOwnedReservedRoleDescriptors.java      | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
index fcd1ba54a8de2..172b63decfdab 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
@@ -120,6 +120,11 @@ static RoleDescriptor kibanaSystem(String name) {
                     .indices(".ml-annotations*", ".ml-notifications*")
                     .privileges("read", "write")
                     .build(),
+                // And the reindexed indices from v7
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices(".reindexed-v8-ml-annotations*", ".reindexed-v8-ml-notifications*")
+                    .privileges("read", "write")
+                    .build(),
 
                 // APM agent configuration - system index defined in KibanaPlugin
                 RoleDescriptor.IndicesPrivileges.builder()