diff --git a/docs/changelog/132766.yaml b/docs/changelog/132766.yaml new file mode 100644 index 0000000000000..0744c1c280632 --- /dev/null +++ b/docs/changelog/132766.yaml @@ -0,0 +1,10 @@ +pr: 132766 +summary: Change `reporting_user` role to leverage reserved kibana privileges +area: Authorization +type: deprecation +issues: [] +deprecation: + title: Deprecate the built-in `reporting_user` role. + area: Authorization + details: The `reporting_user` role is deprecated. Administrators should manage access to Kibana's reporting features via custom roles which grant the necessary privileges. + impact: This role will be removed in a future version. Administrators should migrate to custom roles to avoid interruption. diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 83d9ecacb1f38..b6eaac655da23 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -324,23 +324,13 @@ private static Map initializeReservedRoles() { null, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-.kibana") + .application("kibana-*") .resources("*") - .privileges( - "feature_discover.minimal_read", - "feature_discover.generate_report", - "feature_dashboard.minimal_read", - "feature_dashboard.generate_report", - "feature_dashboard.download_csv_report", - "feature_canvas.minimal_read", - "feature_canvas.generate_report", - "feature_visualize.minimal_read", - "feature_visualize.generate_report" - ) + .privileges("reserved_reporting_user") .build() }, null, null, - MetadataUtils.DEFAULT_RESERVED_METADATA, + MetadataUtils.getDeprecatedReservedMetadata("Please grant access via Kibana privileges instead."), null, null, null, @@ -349,7 +339,7 @@ private static Map initializeReservedRoles() { + "including generating and downloading reports. " + "This role implicitly grants access to all Kibana reporting features, " + "with each user having access only to their own reports. Note that reporting users should also be assigned " - + "additional roles that grant read access to the indices that will be used to generate reports." + + "additional roles that grant read access to Kibana, and the indices that will be used to generate reports." ) ), entry(KibanaSystemUser.ROLE_NAME, kibanaSystemRoleDescriptor(KibanaSystemUser.ROLE_NAME)), diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 1c68045678042..a811912cadffe 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -2762,20 +2762,11 @@ public void testReportingUserRole() { RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("reporting_user"); assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); + assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true)); final String applicationName = "kibana-.kibana"; - final Set applicationPrivilegeNames = Set.of( - "feature_discover.minimal_read", - "feature_discover.generate_report", - "feature_dashboard.minimal_read", - "feature_dashboard.generate_report", - "feature_dashboard.download_csv_report", - "feature_canvas.minimal_read", - "feature_canvas.generate_report", - "feature_visualize.minimal_read", - "feature_visualize.generate_report" - ); + final Set applicationPrivilegeNames = Set.of("reserved_reporting_user"); final Set allowedApplicationActionPatterns = Set.of( "login:",