From f9dd0a026ace9fbc85abfbb2a4ee72d6182319de Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Wed, 18 Jun 2025 12:32:43 -0700 Subject: [PATCH 1/9] Adding asset criticality and entity store permissions to built in roles --- .../authz/store/ReservedRolesStore.java | 17 +++++++++++++++-- .../authz/store/ReservedRolesStoreTests.java | 5 +++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 52fe69c949a4b..35566d9282aa0 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -71,6 +71,11 @@ public class ReservedRolesStore implements BiConsumer, ActionListene public static final String LISTS_ITEMS_INDEX = ".items-*"; public static final String LISTS_ITEMS_INDEX_REINDEXED_V8 = ".reindexed-v8-items-*"; + /** "Security Solutions" Entity Store and Asset Criticality indices for Asset Inventory and Entity Analytics */ + public static final String ENTITY_STORE_V1_LATEST_INDEX = ".entities.v1.latest.security*"; + public static final String ASSET_CRITICALITY_INDEX = ".asset-criticality.asset-criticality-*"; + + /** Index pattern for Universal Profiling */ public static final String UNIVERSAL_PROFILING_ALIASES = "profiling-*"; public static final String UNIVERSAL_PROFILING_BACKING_INDICES = ".profiling-*"; @@ -780,7 +785,9 @@ private static RoleDescriptor buildViewerRoleDescriptor() { ReservedRolesStore.LISTS_ITEMS_INDEX, ReservedRolesStore.ALERTS_LEGACY_INDEX_REINDEXED_V8, ReservedRolesStore.LISTS_INDEX_REINDEXED_V8, - ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8 + ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8, + ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, + ReservedRolesStore.ASSET_CRITICALITY_INDEX ) .privileges("read", "view_index_metadata") .build(), @@ -842,10 +849,16 @@ private static RoleDescriptor buildEditorRoleDescriptor() { ReservedRolesStore.LISTS_ITEMS_INDEX, ReservedRolesStore.ALERTS_LEGACY_INDEX_REINDEXED_V8, ReservedRolesStore.LISTS_INDEX_REINDEXED_V8, - ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8 + ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8, + ReservedRolesStore.ASSET_CRITICALITY_INDEX ) .privileges("read", "view_index_metadata", "write", "maintenance") .build(), + // Security - Entity Store is view only + RoleDescriptor.IndicesPrivileges.builder() + .indices(ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX) + .privileges("read", "view_index_metadata") + .build(), // Alerts-as-data RoleDescriptor.IndicesPrivileges.builder() .indices( diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 9136a34c44b8a..0addae608dae3 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -3669,6 +3669,9 @@ public void testPredefinedViewerRole() { assertOnlyReadAllowed(role, ".profiling-" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, randomAlphaOfLength(5)); + assertOnlyReadAllowed(role, ".entities.v1.latest.security" + randomIntBetween(0, 5)); + assertOnlyReadAllowed(role, ".asset-criticality.asset-criticality-" + randomIntBetween(0, 5)); + assertOnlyReadAllowed(role, ".slo-observability." + randomIntBetween(0, 5)); assertViewIndexMetadata(role, ".slo-observability." + randomIntBetween(0, 5)); @@ -3739,6 +3742,7 @@ public void testPredefinedEditorRole() { assertOnlyReadAllowed(role, "endgame-" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, "profiling-" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, ".profiling-" + randomIntBetween(0, 5)); + assertOnlyReadAllowed(role, ".entities.v1.latest.security*" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, randomAlphaOfLength(5)); assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".siem-signals-" + randomIntBetween(0, 5)); @@ -3749,6 +3753,7 @@ public void testPredefinedEditorRole() { assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".internal.alerts-" + randomIntBetween(0, 5)); assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".preview.alerts-" + randomIntBetween(0, 5)); assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".internal.preview.alerts-" + randomIntBetween(0, 5)); + assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".asset-criticality.asset-criticality-" + randomIntBetween(0, 5)); assertViewIndexMetadata(role, ".slo-observability." + randomIntBetween(0, 5)); assertReadWriteAndManage(role, ".slo-observability." + randomIntBetween(0, 5)); From 13ea611472d366753946d446d5259667c1e38d23 Mon Sep 17 00:00:00 2001 From: Paulo Silva Date: Wed, 18 Jun 2025 12:52:00 -0700 Subject: [PATCH 2/9] Update docs/changelog/129662.yaml --- docs/changelog/129662.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 docs/changelog/129662.yaml diff --git a/docs/changelog/129662.yaml b/docs/changelog/129662.yaml new file mode 100644 index 0000000000000..3984d2c9d5e86 --- /dev/null +++ b/docs/changelog/129662.yaml @@ -0,0 +1,6 @@ +pr: 129662 +summary: "[Security] Add entity store and asset criticality index privileges to built\ + \ in Editor and Viewer roles" +area: Authorization +type: enhancement +issues: [] From 30e1b124633eed7dea54c88430fe17e3209f6e63 Mon Sep 17 00:00:00 2001 From: elasticsearchmachine Date: Wed, 18 Jun 2025 20:00:49 +0000 Subject: [PATCH 3/9] [CI] Auto commit changes from spotless --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 35566d9282aa0..f91a60b057024 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -75,7 +75,6 @@ public class ReservedRolesStore implements BiConsumer, ActionListene public static final String ENTITY_STORE_V1_LATEST_INDEX = ".entities.v1.latest.security*"; public static final String ASSET_CRITICALITY_INDEX = ".asset-criticality.asset-criticality-*"; - /** Index pattern for Universal Profiling */ public static final String UNIVERSAL_PROFILING_ALIASES = "profiling-*"; public static final String UNIVERSAL_PROFILING_BACKING_INDICES = ".profiling-*"; From 66132ac294c79230f294265866b944aee86f7d4c Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Mon, 30 Jun 2025 11:40:22 -0700 Subject: [PATCH 4/9] Corrects entity store index pattern Updates the entity store index pattern to ensure it matches the minimum necessary index name and narrow it down to the correct use case --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 2 +- .../core/security/authz/store/ReservedRolesStoreTests.java | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 19064ab5424da..e7a8b4e14707e 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -76,7 +76,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene public static final String LISTS_ITEMS_INDEX_REINDEXED_V8 = ".reindexed-v8-items-*"; /** "Security Solutions" Entity Store and Asset Criticality indices for Asset Inventory and Entity Analytics */ - public static final String ENTITY_STORE_V1_LATEST_INDEX = ".entities.v1.latest.security*"; + public static final String ENTITY_STORE_V1_LATEST_INDEX = ".entities.v1.latest.security_*"; public static final String ASSET_CRITICALITY_INDEX = ".asset-criticality.asset-criticality-*"; /** Index pattern for Universal Profiling */ diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index e9f46b6ad8966..44edb21f42f6f 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -3676,7 +3676,7 @@ public void testPredefinedViewerRole() { assertOnlyReadAllowed(role, ".profiling-" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, randomAlphaOfLength(5)); - assertOnlyReadAllowed(role, ".entities.v1.latest.security" + randomIntBetween(0, 5)); + assertOnlyReadAllowed(role, ".entities.v1.latest.security_" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, ".asset-criticality.asset-criticality-" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, ".slo-observability." + randomIntBetween(0, 5)); @@ -3749,7 +3749,7 @@ public void testPredefinedEditorRole() { assertOnlyReadAllowed(role, "endgame-" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, "profiling-" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, ".profiling-" + randomIntBetween(0, 5)); - assertOnlyReadAllowed(role, ".entities.v1.latest.security*" + randomIntBetween(0, 5)); + assertOnlyReadAllowed(role, ".entities.v1.latest.security_" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, randomAlphaOfLength(5)); assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".siem-signals-" + randomIntBetween(0, 5)); From 322017983aa4ab75388e85aea55149f3511d31b7 Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Tue, 29 Jul 2025 19:40:31 -0700 Subject: [PATCH 5/9] Grants kibana_system full access to entities index Modifies the reserved role descriptor to allow all privileges on the entities index. Adds a test to verify that the entities index has all access allowed. --- .../authz/store/KibanaOwnedReservedRoleDescriptors.java | 2 +- .../core/security/authz/store/ReservedRolesStoreTests.java | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index f5e3c239dadcd..1170c07fddaba 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -547,7 +547,7 @@ static RoleDescriptor kibanaSystem(String name) { .indices(".asset-criticality.asset-criticality-*") .privileges("create_index", "manage", "read", "write") .build(), - RoleDescriptor.IndicesPrivileges.builder().indices(".entities.v1.latest.security*").privileges("read").build(), + RoleDescriptor.IndicesPrivileges.builder().indices(".entities.v1.latest.security*").privileges("all").build(), // For cloud_defend usageCollection RoleDescriptor.IndicesPrivileges.builder() .indices("logs-cloud_defend.*", "metrics-cloud_defend.*") diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 44edb21f42f6f..55d12f107d02e 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1851,6 +1851,9 @@ public void testKibanaSystemRole() { assertViewIndexMetadata(kibanaRole, indexName); }); + Array.asList(".entities.v1.latest.security_" + randomAlphaOfLength(randomIntBetween(0, 13))) + .forEach(indexName -> assertAllIndicesAccessAllowed(kibanaRole, indexName)); + Arrays.asList("metrics-logstash." + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((indexName) -> { final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false)); From c61689ee5ea06272350aee787efb0049976a5e28 Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Tue, 29 Jul 2025 19:59:27 -0700 Subject: [PATCH 6/9] Replaces Array with Arrays Corrects a typo in a test case by replacing `Array` with `Arrays`, ensuring the test functions as intended. --- .../core/security/authz/store/ReservedRolesStoreTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 55d12f107d02e..adc96db194d51 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1851,7 +1851,7 @@ public void testKibanaSystemRole() { assertViewIndexMetadata(kibanaRole, indexName); }); - Array.asList(".entities.v1.latest.security_" + randomAlphaOfLength(randomIntBetween(0, 13))) + Arrays.asList(".entities.v1.latest.security_" + randomAlphaOfLength(randomIntBetween(0, 13))) .forEach(indexName -> assertAllIndicesAccessAllowed(kibanaRole, indexName)); Arrays.asList("metrics-logstash." + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((indexName) -> { From 7c3b747ca27a2fe949542c3afd607e32045945e7 Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Wed, 30 Jul 2025 15:46:37 -0700 Subject: [PATCH 7/9] Restricts access to .entities indices Reduces the privileges granted to the Kibana owned reserved role for the .entities indices to only read and write. This change restricts the role from having "all" privileges, enhancing security. --- .../authz/store/KibanaOwnedReservedRoleDescriptors.java | 2 +- .../security/authz/store/ReservedRolesStoreTests.java | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index 1170c07fddaba..96287843e6943 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -547,7 +547,7 @@ static RoleDescriptor kibanaSystem(String name) { .indices(".asset-criticality.asset-criticality-*") .privileges("create_index", "manage", "read", "write") .build(), - RoleDescriptor.IndicesPrivileges.builder().indices(".entities.v1.latest.security*").privileges("all").build(), + RoleDescriptor.IndicesPrivileges.builder().indices(".entities.v1.latest.security*").privileges("read", "write").build(), // For cloud_defend usageCollection RoleDescriptor.IndicesPrivileges.builder() .indices("logs-cloud_defend.*", "metrics-cloud_defend.*") diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index adc96db194d51..ef2bf46c629fe 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1851,8 +1851,13 @@ public void testKibanaSystemRole() { assertViewIndexMetadata(kibanaRole, indexName); }); - Arrays.asList(".entities.v1.latest.security_" + randomAlphaOfLength(randomIntBetween(0, 13))) - .forEach(indexName -> assertAllIndicesAccessAllowed(kibanaRole, indexName)); + Arrays.asList(".entities.v1.latest.security_" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach(indexName -> { + final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportSearchAction.TYPE.name()).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportUpdateAction.TYPE.name()).test(indexAbstraction), is(true)); + assertViewIndexMetadata(kibanaRole, indexName); + }); + Arrays.asList("metrics-logstash." + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((indexName) -> { final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); From ca81f21239c3d48af7877a14e3dea1cec4176042 Mon Sep 17 00:00:00 2001 From: elasticsearchmachine Date: Wed, 30 Jul 2025 22:57:04 +0000 Subject: [PATCH 8/9] [CI] Auto commit changes from spotless --- .../xpack/core/security/authz/store/ReservedRolesStoreTests.java | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index ef2bf46c629fe..21e3d3ad0cd6c 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1858,7 +1858,6 @@ public void testKibanaSystemRole() { assertViewIndexMetadata(kibanaRole, indexName); }); - Arrays.asList("metrics-logstash." + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((indexName) -> { final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false)); From 536523d3adcc8ad41292e4ecda6005501662798d Mon Sep 17 00:00:00 2001 From: Paulo Silva Date: Wed, 30 Jul 2025 16:02:34 -0700 Subject: [PATCH 9/9] Update changelog --- docs/changelog/129662.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/changelog/129662.yaml b/docs/changelog/129662.yaml index 3984d2c9d5e86..d704c7cab2386 100644 --- a/docs/changelog/129662.yaml +++ b/docs/changelog/129662.yaml @@ -1,6 +1,6 @@ pr: 129662 summary: "[Security] Add entity store and asset criticality index privileges to built\ - \ in Editor and Viewer roles" + \ in Editor, Viewer and Kibana System roles" area: Authorization type: enhancement issues: []