diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUsers.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUsers.java index eaba08c0aad83..961f363be7958 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUsers.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUsers.java @@ -35,9 +35,11 @@ import org.elasticsearch.xpack.core.security.authz.RoleDescriptor; import org.elasticsearch.xpack.core.security.support.MetadataUtils; +import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.Map; +import java.util.Objects; import java.util.function.Function; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -157,14 +159,18 @@ public class InternalUsers { RoleDescriptor.IndicesPrivileges.builder() .indices("*") .privileges( - "delete_index", - RolloverAction.NAME, - ForceMergeAction.NAME + "*", - // indices stats is used by rollover, so we need to grant it here - IndicesStatsAction.NAME + "*", - TransportUpdateSettingsAction.TYPE.name(), - DownsampleAction.NAME, - TransportAddIndexBlockAction.TYPE.name() + filterNonNull( + // needed to rollover failure store + DataStream.isFailureStoreFeatureFlagEnabled() ? "manage_failure_store" : null, + "delete_index", + RolloverAction.NAME, + ForceMergeAction.NAME + "*", + // indices stats is used by rollover, so we need to grant it here + IndicesStatsAction.NAME + "*", + TransportUpdateSettingsAction.TYPE.name(), + DownsampleAction.NAME, + TransportAddIndexBlockAction.TYPE.name() + ) ) .allowRestrictedIndices(false) .build(), @@ -176,14 +182,18 @@ public class InternalUsers { ".fleet-fileds*" ) .privileges( - "delete_index", - RolloverAction.NAME, - ForceMergeAction.NAME + "*", - // indices stats is used by rollover, so we need to grant it here - IndicesStatsAction.NAME + "*", - TransportUpdateSettingsAction.TYPE.name(), - DownsampleAction.NAME, - TransportAddIndexBlockAction.TYPE.name() + filterNonNull( + // needed to rollover failure store + DataStream.isFailureStoreFeatureFlagEnabled() ? "manage_failure_store" : null, + "delete_index", + RolloverAction.NAME, + ForceMergeAction.NAME + "*", + // indices stats is used by rollover, so we need to grant it here + IndicesStatsAction.NAME + "*", + TransportUpdateSettingsAction.TYPE.name(), + DownsampleAction.NAME, + TransportAddIndexBlockAction.TYPE.name() + ) ) .allowRestrictedIndices(true) .build() }, @@ -246,25 +256,18 @@ public class InternalUsers { new RoleDescriptor( UsernamesField.LAZY_ROLLOVER_ROLE, new String[] {}, - DataStream.isFailureStoreFeatureFlagEnabled() - ? new RoleDescriptor.IndicesPrivileges[] { - RoleDescriptor.IndicesPrivileges.builder() - .indices("*") - .privileges(LazyRolloverAction.NAME) - .allowRestrictedIndices(true) - .build(), - RoleDescriptor.IndicesPrivileges.builder() - .indices("*") - // needed to rollover failure store - .privileges("manage_failure_store") - .allowRestrictedIndices(true) - .build() } - : new RoleDescriptor.IndicesPrivileges[] { - RoleDescriptor.IndicesPrivileges.builder() - .indices("*") - .privileges(LazyRolloverAction.NAME) - .allowRestrictedIndices(true) - .build(), }, + new RoleDescriptor.IndicesPrivileges[] { + RoleDescriptor.IndicesPrivileges.builder() + .indices("*") + .privileges( + filterNonNull( + // needed to rollover failure store + DataStream.isFailureStoreFeatureFlagEnabled() ? "manage_failure_store" : null, + LazyRolloverAction.NAME + ) + ) + .allowRestrictedIndices(true) + .build() }, null, null, new String[] {}, @@ -322,4 +325,8 @@ public static InternalUser getUser(String username) { } return instance; } + + private static String[] filterNonNull(String... privileges) { + return Arrays.stream(privileges).filter(Objects::nonNull).toArray(String[]::new); + } } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/user/InternalUsersTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/user/InternalUsersTests.java index 40f66f457e67a..9b8caca209ad0 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/user/InternalUsersTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/user/InternalUsersTests.java @@ -271,6 +271,7 @@ public void testDataStreamLifecycleUser() { TransportAddIndexBlockAction.TYPE.name() ); final String dataStream = randomAlphaOfLengthBetween(3, 12); + checkIndexAccess(role, randomFrom(sampleIndexActions), dataStream, true); // Also check backing index access checkIndexAccess( @@ -280,6 +281,15 @@ public void testDataStreamLifecycleUser() { true ); + checkIndexAccess(role, randomFrom(sampleIndexActions), dataStream + "::failures", true); + // Also check failure index access + checkIndexAccess( + role, + randomFrom(sampleIndexActions), + DataStream.FAILURE_STORE_PREFIX + dataStream + randomAlphaOfLengthBetween(4, 8), + true + ); + allowedSystemDataStreams.forEach(allowedSystemDataStream -> { checkIndexAccess(role, randomFrom(sampleSystemDataStreamActions), allowedSystemDataStream, true); checkIndexAccess( @@ -288,6 +298,14 @@ public void testDataStreamLifecycleUser() { DataStream.BACKING_INDEX_PREFIX + allowedSystemDataStream + randomAlphaOfLengthBetween(4, 8), true ); + + checkIndexAccess(role, randomFrom(sampleSystemDataStreamActions), allowedSystemDataStream + "::failures", true); + checkIndexAccess( + role, + randomFrom(sampleSystemDataStreamActions), + DataStream.FAILURE_STORE_PREFIX + allowedSystemDataStream + randomAlphaOfLengthBetween(4, 8), + true + ); }); checkIndexAccess(role, randomFrom(sampleSystemDataStreamActions), randomFrom(TestRestrictedIndices.SAMPLE_RESTRICTED_NAMES), false);