diff --git a/docs/changelog/129662.yaml b/docs/changelog/129662.yaml new file mode 100644 index 0000000000000..d704c7cab2386 --- /dev/null +++ b/docs/changelog/129662.yaml @@ -0,0 +1,6 @@ +pr: 129662 +summary: "[Security] Add entity store and asset criticality index privileges to built\ + \ in Editor, Viewer and Kibana System roles" +area: Authorization +type: enhancement +issues: [] diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index f5e3c239dadcd..96287843e6943 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -547,7 +547,7 @@ static RoleDescriptor kibanaSystem(String name) { .indices(".asset-criticality.asset-criticality-*") .privileges("create_index", "manage", "read", "write") .build(), - RoleDescriptor.IndicesPrivileges.builder().indices(".entities.v1.latest.security*").privileges("read").build(), + RoleDescriptor.IndicesPrivileges.builder().indices(".entities.v1.latest.security*").privileges("read", "write").build(), // For cloud_defend usageCollection RoleDescriptor.IndicesPrivileges.builder() .indices("logs-cloud_defend.*", "metrics-cloud_defend.*") diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 83d9ecacb1f38..e7a8b4e14707e 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -75,6 +75,10 @@ public class ReservedRolesStore implements BiConsumer, ActionListene public static final String LISTS_ITEMS_INDEX = ".items-*"; public static final String LISTS_ITEMS_INDEX_REINDEXED_V8 = ".reindexed-v8-items-*"; + /** "Security Solutions" Entity Store and Asset Criticality indices for Asset Inventory and Entity Analytics */ + public static final String ENTITY_STORE_V1_LATEST_INDEX = ".entities.v1.latest.security_*"; + public static final String ASSET_CRITICALITY_INDEX = ".asset-criticality.asset-criticality-*"; + /** Index pattern for Universal Profiling */ public static final String UNIVERSAL_PROFILING_ALIASES = "profiling-*"; public static final String UNIVERSAL_PROFILING_BACKING_INDICES = ".profiling-*"; @@ -784,7 +788,9 @@ private static RoleDescriptor buildViewerRoleDescriptor() { ReservedRolesStore.LISTS_ITEMS_INDEX, ReservedRolesStore.ALERTS_LEGACY_INDEX_REINDEXED_V8, ReservedRolesStore.LISTS_INDEX_REINDEXED_V8, - ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8 + ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8, + ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, + ReservedRolesStore.ASSET_CRITICALITY_INDEX ) .privileges("read", "view_index_metadata") .build(), @@ -846,10 +852,16 @@ private static RoleDescriptor buildEditorRoleDescriptor() { ReservedRolesStore.LISTS_ITEMS_INDEX, ReservedRolesStore.ALERTS_LEGACY_INDEX_REINDEXED_V8, ReservedRolesStore.LISTS_INDEX_REINDEXED_V8, - ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8 + ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8, + ReservedRolesStore.ASSET_CRITICALITY_INDEX ) .privileges("read", "view_index_metadata", "write", "maintenance") .build(), + // Security - Entity Store is view only + RoleDescriptor.IndicesPrivileges.builder() + .indices(ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX) + .privileges("read", "view_index_metadata") + .build(), // Alerts-as-data RoleDescriptor.IndicesPrivileges.builder() .indices( diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index e90cbfaec027a..21e3d3ad0cd6c 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1851,6 +1851,13 @@ public void testKibanaSystemRole() { assertViewIndexMetadata(kibanaRole, indexName); }); + Arrays.asList(".entities.v1.latest.security_" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach(indexName -> { + final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportSearchAction.TYPE.name()).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportUpdateAction.TYPE.name()).test(indexAbstraction), is(true)); + assertViewIndexMetadata(kibanaRole, indexName); + }); + Arrays.asList("metrics-logstash." + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((indexName) -> { final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false)); @@ -3676,6 +3683,9 @@ public void testPredefinedViewerRole() { assertOnlyReadAllowed(role, ".profiling-" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, randomAlphaOfLength(5)); + assertOnlyReadAllowed(role, ".entities.v1.latest.security_" + randomIntBetween(0, 5)); + assertOnlyReadAllowed(role, ".asset-criticality.asset-criticality-" + randomIntBetween(0, 5)); + assertOnlyReadAllowed(role, ".slo-observability." + randomIntBetween(0, 5)); assertViewIndexMetadata(role, ".slo-observability." + randomIntBetween(0, 5)); @@ -3746,6 +3756,7 @@ public void testPredefinedEditorRole() { assertOnlyReadAllowed(role, "endgame-" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, "profiling-" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, ".profiling-" + randomIntBetween(0, 5)); + assertOnlyReadAllowed(role, ".entities.v1.latest.security_" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, randomAlphaOfLength(5)); assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".siem-signals-" + randomIntBetween(0, 5)); @@ -3756,6 +3767,7 @@ public void testPredefinedEditorRole() { assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".internal.alerts-" + randomIntBetween(0, 5)); assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".preview.alerts-" + randomIntBetween(0, 5)); assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".internal.preview.alerts-" + randomIntBetween(0, 5)); + assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".asset-criticality.asset-criticality-" + randomIntBetween(0, 5)); assertViewIndexMetadata(role, ".slo-observability." + randomIntBetween(0, 5)); assertReadWriteAndManage(role, ".slo-observability." + randomIntBetween(0, 5));