diff --git a/docs/changelog/133968.yaml b/docs/changelog/133968.yaml new file mode 100644 index 0000000000000..795542a057ec4 --- /dev/null +++ b/docs/changelog/133968.yaml @@ -0,0 +1,5 @@ +pr: 133968 +summary: Extend kibana-system permissions to manage security entities +area: Infra/Core +type: enhancement +issues: [] diff --git a/modules/dot-prefix-validation/src/main/java/org/elasticsearch/validation/DotPrefixValidator.java b/modules/dot-prefix-validation/src/main/java/org/elasticsearch/validation/DotPrefixValidator.java index 555d04e1c1a5d..d2b7be1fd3dc2 100644 --- a/modules/dot-prefix-validation/src/main/java/org/elasticsearch/validation/DotPrefixValidator.java +++ b/modules/dot-prefix-validation/src/main/java/org/elasticsearch/validation/DotPrefixValidator.java @@ -73,7 +73,7 @@ public abstract class DotPrefixValidator implements MappedActionFil "\\.ml-state-\\d+", "\\.slo-observability\\.sli-v\\d+.*", "\\.slo-observability\\.summary-v\\d+.*", - "\\.entities\\.v\\d+\\.latest\\..*", + "\\.entities\\.v\\d+\\..*", "\\.monitoring-es-8-.*", "\\.monitoring-logstash-8-.*", "\\.monitoring-kibana-8-.*", diff --git a/modules/dot-prefix-validation/src/test/java/org/elasticsearch/validation/DotPrefixValidatorTests.java b/modules/dot-prefix-validation/src/test/java/org/elasticsearch/validation/DotPrefixValidatorTests.java index 7bf1fb3810790..862c7ab2b34f0 100644 --- a/modules/dot-prefix-validation/src/test/java/org/elasticsearch/validation/DotPrefixValidatorTests.java +++ b/modules/dot-prefix-validation/src/test/java/org/elasticsearch/validation/DotPrefixValidatorTests.java @@ -77,6 +77,10 @@ public void testValidation() { nonOpV.validateIndices(Set.of(".slo-observability.summary-v2.3-2024-01-01")); nonOpV.validateIndices(Set.of("<.slo-observability.summary-v3.3.{2024-10-16||/M{yyyy-MM-dd|UTC}}>")); nonOpV.validateIndices(Set.of(".entities.v1.latest.builtin_services_from_ecs_data")); + nonOpV.validateIndices(Set.of(".entities.v1.history.2025-09-16.security_host_default")); + nonOpV.validateIndices(Set.of(".entities.v2.history.2025-09-16.security_user_custom")); + nonOpV.validateIndices(Set.of(".entities.v5.reset.security_user_custom")); + nonOpV.validateIndices(Set.of(".entities.v1.latest.noop")); nonOpV.validateIndices(Set.of(".entities.v92.latest.eggplant.potato")); nonOpV.validateIndices(Set.of("<.entities.v12.latest.eggplant-{M{yyyy-MM-dd|UTC}}>")); nonOpV.validateIndices(Set.of(".monitoring-es-8-thing")); diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index 5bf438ce540f4..36bd50359184f 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -595,7 +595,15 @@ static RoleDescriptor kibanaSystem(String name) { .indices(".asset-criticality.asset-criticality-*") .privileges("create_index", "manage", "read", "write") .build(), - RoleDescriptor.IndicesPrivileges.builder().indices(".entities.v1.latest.security*").privileges("read", "write").build(), + RoleDescriptor.IndicesPrivileges.builder().indices(".entities.*").privileges("read", "write").build(), + RoleDescriptor.IndicesPrivileges.builder() + .indices(".entities.*history*") + .privileges("create_index", "manage", "read", "write") + .build(), + RoleDescriptor.IndicesPrivileges.builder() + .indices(".entities.*reset*") + .privileges("create_index", "manage", "read", "write") + .build(), // For cloud_defend usageCollection RoleDescriptor.IndicesPrivileges.builder() .indices("logs-cloud_defend.*", "metrics-cloud_defend.*") diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index dc3db9d5c88df..f60fe471f625c 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -77,6 +77,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene /** "Security Solutions" Entity Store and Asset Criticality indices for Asset Inventory and Entity Analytics */ public static final String ENTITY_STORE_V1_LATEST_INDEX = ".entities.v1.latest.security_*"; + public static final String ENTITY_STORE_HISTORY_INDEX = ".entities.*.history.*"; public static final String ASSET_CRITICALITY_INDEX = ".asset-criticality.asset-criticality-*"; /** Index pattern for Universal Profiling */ @@ -780,6 +781,7 @@ private static RoleDescriptor buildViewerRoleDescriptor() { ReservedRolesStore.LISTS_INDEX_REINDEXED_V8, ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8, ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, + ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX, ReservedRolesStore.ASSET_CRITICALITY_INDEX ) .privileges("read", "view_index_metadata") @@ -849,7 +851,7 @@ private static RoleDescriptor buildEditorRoleDescriptor() { .build(), // Security - Entity Store is view only RoleDescriptor.IndicesPrivileges.builder() - .indices(ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX) + .indices(ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX) .privileges("read", "view_index_metadata") .build(), // Alerts-as-data