diff --git a/docs/changelog/132766.yaml b/docs/changelog/132766.yaml new file mode 100644 index 0000000000000..0744c1c280632 --- /dev/null +++ b/docs/changelog/132766.yaml @@ -0,0 +1,10 @@ +pr: 132766 +summary: Change `reporting_user` role to leverage reserved kibana privileges +area: Authorization +type: deprecation +issues: [] +deprecation: + title: Deprecate the built-in `reporting_user` role. + area: Authorization + details: The `reporting_user` role is deprecated. Administrators should manage access to Kibana's reporting features via custom roles which grant the necessary privileges. + impact: This role will be removed in a future version. Administrators should migrate to custom roles to avoid interruption. diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index e7a8b4e14707e..dc3db9d5c88df 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -328,23 +328,13 @@ private static Map initializeReservedRoles() { null, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-.kibana") + .application("kibana-*") .resources("*") - .privileges( - "feature_discover.minimal_read", - "feature_discover.generate_report", - "feature_dashboard.minimal_read", - "feature_dashboard.generate_report", - "feature_dashboard.download_csv_report", - "feature_canvas.minimal_read", - "feature_canvas.generate_report", - "feature_visualize.minimal_read", - "feature_visualize.generate_report" - ) + .privileges("reserved_reporting_user") .build() }, null, null, - MetadataUtils.DEFAULT_RESERVED_METADATA, + MetadataUtils.getDeprecatedReservedMetadata("Please grant access via Kibana privileges instead."), null, null, null, @@ -353,7 +343,7 @@ private static Map initializeReservedRoles() { + "including generating and downloading reports. " + "This role implicitly grants access to all Kibana reporting features, " + "with each user having access only to their own reports. Note that reporting users should also be assigned " - + "additional roles that grant read access to the indices that will be used to generate reports." + + "additional roles that grant read access to Kibana, and the indices that will be used to generate reports." ) ), entry(KibanaSystemUser.ROLE_NAME, kibanaSystemRoleDescriptor(KibanaSystemUser.ROLE_NAME)), diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 34dd684e83166..acf4c423edf04 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -2769,20 +2769,11 @@ public void testReportingUserRole() { RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("reporting_user"); assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); + assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true)); final String applicationName = "kibana-.kibana"; - final Set applicationPrivilegeNames = Set.of( - "feature_discover.minimal_read", - "feature_discover.generate_report", - "feature_dashboard.minimal_read", - "feature_dashboard.generate_report", - "feature_dashboard.download_csv_report", - "feature_canvas.minimal_read", - "feature_canvas.generate_report", - "feature_visualize.minimal_read", - "feature_visualize.generate_report" - ); + final Set applicationPrivilegeNames = Set.of("reserved_reporting_user"); final Set allowedApplicationActionPatterns = Set.of( "login:",