From efecf695bedfbaf4275151dd68390c1378e01b1e Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Tue, 12 Aug 2025 14:47:22 -0400 Subject: [PATCH 1/5] Change reporting_user role to leverage reserved kibana privileges --- .../security/authz/store/ReservedRolesStore.java | 14 +++----------- .../authz/store/ReservedRolesStoreTests.java | 10 +--------- 2 files changed, 4 insertions(+), 20 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index e7a8b4e14707e..d2c662aadb64b 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -328,18 +328,10 @@ private static Map initializeReservedRoles() { null, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-.kibana") + .application("kibana-*") .resources("*") .privileges( - "feature_discover.minimal_read", - "feature_discover.generate_report", - "feature_dashboard.minimal_read", - "feature_dashboard.generate_report", - "feature_dashboard.download_csv_report", - "feature_canvas.minimal_read", - "feature_canvas.generate_report", - "feature_visualize.minimal_read", - "feature_visualize.generate_report" + "reserved_reporting_user" ) .build() }, null, @@ -353,7 +345,7 @@ private static Map initializeReservedRoles() { + "including generating and downloading reports. " + "This role implicitly grants access to all Kibana reporting features, " + "with each user having access only to their own reports. Note that reporting users should also be assigned " - + "additional roles that grant read access to the indices that will be used to generate reports." + + "additional roles that grant read access to Kibana, and the indices that will be used to generate reports." ) ), entry(KibanaSystemUser.ROLE_NAME, kibanaSystemRoleDescriptor(KibanaSystemUser.ROLE_NAME)), diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 34dd684e83166..84a31ee90aecd 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -2773,15 +2773,7 @@ public void testReportingUserRole() { final String applicationName = "kibana-.kibana"; final Set applicationPrivilegeNames = Set.of( - "feature_discover.minimal_read", - "feature_discover.generate_report", - "feature_dashboard.minimal_read", - "feature_dashboard.generate_report", - "feature_dashboard.download_csv_report", - "feature_canvas.minimal_read", - "feature_canvas.generate_report", - "feature_visualize.minimal_read", - "feature_visualize.generate_report" + "reserved_reporting_user" ); final Set allowedApplicationActionPatterns = Set.of( From b4435376c50b14aad2942b7e46baf4e597f1c900 Mon Sep 17 00:00:00 2001 From: elasticsearchmachine Date: Tue, 12 Aug 2025 18:56:35 +0000 Subject: [PATCH 2/5] [CI] Auto commit changes from spotless --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 4 +--- .../core/security/authz/store/ReservedRolesStoreTests.java | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index d2c662aadb64b..000e319b0848c 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -330,9 +330,7 @@ private static Map initializeReservedRoles() { RoleDescriptor.ApplicationResourcePrivileges.builder() .application("kibana-*") .resources("*") - .privileges( - "reserved_reporting_user" - ) + .privileges("reserved_reporting_user") .build() }, null, null, diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 84a31ee90aecd..e79d713c5f57b 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -2772,9 +2772,7 @@ public void testReportingUserRole() { final String applicationName = "kibana-.kibana"; - final Set applicationPrivilegeNames = Set.of( - "reserved_reporting_user" - ); + final Set applicationPrivilegeNames = Set.of("reserved_reporting_user"); final Set allowedApplicationActionPatterns = Set.of( "login:", From f8af0b492b4d090c34afe7a67001d941d7f41816 Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Tue, 12 Aug 2025 15:03:04 -0400 Subject: [PATCH 3/5] Mark reporting_user role as deprecated --- .../xpack/core/security/authz/store/ReservedRolesStoreTests.java | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 84a31ee90aecd..a5c9a5fd1cc34 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -2769,6 +2769,7 @@ public void testReportingUserRole() { RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("reporting_user"); assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); + assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true)); final String applicationName = "kibana-.kibana"; From 76939f90ce7b83838abf4eae38ffc0438c639a7a Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Mon, 18 Aug 2025 04:04:33 -0400 Subject: [PATCH 4/5] Update docs/changelog/132766.yaml --- docs/changelog/132766.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 docs/changelog/132766.yaml diff --git a/docs/changelog/132766.yaml b/docs/changelog/132766.yaml new file mode 100644 index 0000000000000..f0aa107b4222b --- /dev/null +++ b/docs/changelog/132766.yaml @@ -0,0 +1,11 @@ +pr: 132766 +summary: Change `reporting_user` role to leverage reserved kibana privileges +area: Authorization +type: deprecation +issues: [] +deprecation: + title: Change `reporting_user` role to leverage reserved kibana privileges + area: Authorization + details: Please describe the details of this change for the release notes. You can + use asciidoc. + impact: Please describe the impact of this change to users From dc0cf91f29c6a06b098510384b3b11266000298f Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Mon, 18 Aug 2025 08:28:38 -0400 Subject: [PATCH 5/5] Update release notes --- docs/changelog/132766.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/changelog/132766.yaml b/docs/changelog/132766.yaml index f0aa107b4222b..0744c1c280632 100644 --- a/docs/changelog/132766.yaml +++ b/docs/changelog/132766.yaml @@ -4,8 +4,7 @@ area: Authorization type: deprecation issues: [] deprecation: - title: Change `reporting_user` role to leverage reserved kibana privileges + title: Deprecate the built-in `reporting_user` role. area: Authorization - details: Please describe the details of this change for the release notes. You can - use asciidoc. - impact: Please describe the impact of this change to users + details: The `reporting_user` role is deprecated. Administrators should manage access to Kibana's reporting features via custom roles which grant the necessary privileges. + impact: This role will be removed in a future version. Administrators should migrate to custom roles to avoid interruption.