From baa4e56c4fcd74f4e7acf01301bfafe8c9f97a2e Mon Sep 17 00:00:00 2001 From: kubasobon Date: Tue, 2 Sep 2025 12:23:23 +0200 Subject: [PATCH 1/8] extend kibana-system permissions for .entities.* indices --- .../authz/store/KibanaOwnedReservedRoleDescriptors.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index e65defea63e2b..40afee8aec23f 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -593,7 +593,11 @@ static RoleDescriptor kibanaSystem(String name) { .indices(".asset-criticality.asset-criticality-*") .privileges("create_index", "manage", "read", "write") .build(), - RoleDescriptor.IndicesPrivileges.builder().indices(".entities.v1.latest.security*").privileges("read", "write").build(), + RoleDescriptor.IndicesPrivileges.builder().indices(".entities.*").privileges("read", "write").build(), + RoleDescriptor.IndicesPrivileges.builder() + .indices(".entities.*history*") + .privileges("create_index", "manage", "read", "write") + .build(), // For cloud_defend usageCollection RoleDescriptor.IndicesPrivileges.builder() .indices("logs-cloud_defend.*", "metrics-cloud_defend.*") From 88aed352840aaffa0c697194d808510c3b0e9c13 Mon Sep 17 00:00:00 2001 From: kubasobon Date: Thu, 4 Sep 2025 10:18:53 +0200 Subject: [PATCH 2/8] trigger CI From 33aa6daa309467935bf904888364e98befc8afaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kuba=20Sobo=C5=84?= Date: Thu, 4 Sep 2025 10:25:40 +0200 Subject: [PATCH 3/8] Update docs/changelog/133968.yaml --- docs/changelog/133968.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 docs/changelog/133968.yaml diff --git a/docs/changelog/133968.yaml b/docs/changelog/133968.yaml new file mode 100644 index 0000000000000..795542a057ec4 --- /dev/null +++ b/docs/changelog/133968.yaml @@ -0,0 +1,5 @@ +pr: 133968 +summary: Extend kibana-system permissions to manage security entities +area: Infra/Core +type: enhancement +issues: [] From bd69339e9f2461ecdcea8ae4c9dd1ddb50425fc6 Mon Sep 17 00:00:00 2001 From: kubasobon Date: Mon, 15 Sep 2025 10:21:04 +0200 Subject: [PATCH 4/8] update viewer/editor & add reset management --- .../authz/store/KibanaOwnedReservedRoleDescriptors.java | 4 ++++ .../core/security/authz/store/ReservedRolesStore.java | 7 ++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index cddccc105e36d..491d38a472165 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -600,6 +600,10 @@ static RoleDescriptor kibanaSystem(String name) { .indices(".entities.*history*") .privileges("create_index", "manage", "read", "write") .build(), + RoleDescriptor.IndicesPrivileges.builder() + .indices(".entities.*reset*") + .privileges("create_index", "manage", "read", "write") + .build(), // For cloud_defend usageCollection RoleDescriptor.IndicesPrivileges.builder() .indices("logs-cloud_defend.*", "metrics-cloud_defend.*") diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index dc3db9d5c88df..7e00ed13a339a 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -77,6 +77,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene /** "Security Solutions" Entity Store and Asset Criticality indices for Asset Inventory and Entity Analytics */ public static final String ENTITY_STORE_V1_LATEST_INDEX = ".entities.v1.latest.security_*"; + public static final String ENTITY_STORE_HISTORY_INDEX = ".entities.*.history.*"; public static final String ASSET_CRITICALITY_INDEX = ".asset-criticality.asset-criticality-*"; /** Index pattern for Universal Profiling */ @@ -780,6 +781,7 @@ private static RoleDescriptor buildViewerRoleDescriptor() { ReservedRolesStore.LISTS_INDEX_REINDEXED_V8, ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8, ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, + ReserveRolesStore.ENTITY_STORE_HISTORY_INDEX, ReservedRolesStore.ASSET_CRITICALITY_INDEX ) .privileges("read", "view_index_metadata") @@ -849,7 +851,10 @@ private static RoleDescriptor buildEditorRoleDescriptor() { .build(), // Security - Entity Store is view only RoleDescriptor.IndicesPrivileges.builder() - .indices(ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX) + .indices( + ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, + ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX, + ) .privileges("read", "view_index_metadata") .build(), // Alerts-as-data From f5c612417526585a14669d0e0fcd2356976baa02 Mon Sep 17 00:00:00 2001 From: kubasobon Date: Mon, 15 Sep 2025 10:33:51 +0200 Subject: [PATCH 5/8] fix typos --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 7e00ed13a339a..9b59283a75aff 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -781,7 +781,7 @@ private static RoleDescriptor buildViewerRoleDescriptor() { ReservedRolesStore.LISTS_INDEX_REINDEXED_V8, ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8, ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, - ReserveRolesStore.ENTITY_STORE_HISTORY_INDEX, + ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX, ReservedRolesStore.ASSET_CRITICALITY_INDEX ) .privileges("read", "view_index_metadata") @@ -853,7 +853,7 @@ private static RoleDescriptor buildEditorRoleDescriptor() { RoleDescriptor.IndicesPrivileges.builder() .indices( ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, - ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX, + ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX ) .privileges("read", "view_index_metadata") .build(), From 871aa598fe748cc0ca1456ffc19159923dee79d2 Mon Sep 17 00:00:00 2001 From: elasticsearchmachine Date: Mon, 15 Sep 2025 08:41:07 +0000 Subject: [PATCH 6/8] [CI] Auto commit changes from spotless --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 9b59283a75aff..f60fe471f625c 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -851,10 +851,7 @@ private static RoleDescriptor buildEditorRoleDescriptor() { .build(), // Security - Entity Store is view only RoleDescriptor.IndicesPrivileges.builder() - .indices( - ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, - ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX - ) + .indices(ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX) .privileges("read", "view_index_metadata") .build(), // Alerts-as-data From 392ef4735c9f48c70563d45d610902bf25029a45 Mon Sep 17 00:00:00 2001 From: kubasobon Date: Tue, 16 Sep 2025 11:31:14 +0200 Subject: [PATCH 7/8] extend validation exemption on .entities indices --- .../java/org/elasticsearch/validation/DotPrefixValidator.java | 2 +- .../org/elasticsearch/validation/DotPrefixValidatorTests.java | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/dot-prefix-validation/src/main/java/org/elasticsearch/validation/DotPrefixValidator.java b/modules/dot-prefix-validation/src/main/java/org/elasticsearch/validation/DotPrefixValidator.java index 555d04e1c1a5d..d2b7be1fd3dc2 100644 --- a/modules/dot-prefix-validation/src/main/java/org/elasticsearch/validation/DotPrefixValidator.java +++ b/modules/dot-prefix-validation/src/main/java/org/elasticsearch/validation/DotPrefixValidator.java @@ -73,7 +73,7 @@ public abstract class DotPrefixValidator implements MappedActionFil "\\.ml-state-\\d+", "\\.slo-observability\\.sli-v\\d+.*", "\\.slo-observability\\.summary-v\\d+.*", - "\\.entities\\.v\\d+\\.latest\\..*", + "\\.entities\\.v\\d+\\..*", "\\.monitoring-es-8-.*", "\\.monitoring-logstash-8-.*", "\\.monitoring-kibana-8-.*", diff --git a/modules/dot-prefix-validation/src/test/java/org/elasticsearch/validation/DotPrefixValidatorTests.java b/modules/dot-prefix-validation/src/test/java/org/elasticsearch/validation/DotPrefixValidatorTests.java index 7bf1fb3810790..862c7ab2b34f0 100644 --- a/modules/dot-prefix-validation/src/test/java/org/elasticsearch/validation/DotPrefixValidatorTests.java +++ b/modules/dot-prefix-validation/src/test/java/org/elasticsearch/validation/DotPrefixValidatorTests.java @@ -77,6 +77,10 @@ public void testValidation() { nonOpV.validateIndices(Set.of(".slo-observability.summary-v2.3-2024-01-01")); nonOpV.validateIndices(Set.of("<.slo-observability.summary-v3.3.{2024-10-16||/M{yyyy-MM-dd|UTC}}>")); nonOpV.validateIndices(Set.of(".entities.v1.latest.builtin_services_from_ecs_data")); + nonOpV.validateIndices(Set.of(".entities.v1.history.2025-09-16.security_host_default")); + nonOpV.validateIndices(Set.of(".entities.v2.history.2025-09-16.security_user_custom")); + nonOpV.validateIndices(Set.of(".entities.v5.reset.security_user_custom")); + nonOpV.validateIndices(Set.of(".entities.v1.latest.noop")); nonOpV.validateIndices(Set.of(".entities.v92.latest.eggplant.potato")); nonOpV.validateIndices(Set.of("<.entities.v12.latest.eggplant-{M{yyyy-MM-dd|UTC}}>")); nonOpV.validateIndices(Set.of(".monitoring-es-8-thing")); From 3dd8a17a817a2c8de90d391b03f283446ecbb57b Mon Sep 17 00:00:00 2001 From: elasticsearchmachine Date: Tue, 16 Sep 2025 09:38:46 +0000 Subject: [PATCH 8/8] [CI] Update transport version definitions --- server/src/main/resources/transport/upper_bounds/9.2.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/main/resources/transport/upper_bounds/9.2.csv b/server/src/main/resources/transport/upper_bounds/9.2.csv index 49360d5e62d69..e24f914a1d1ca 100644 --- a/server/src/main/resources/transport/upper_bounds/9.2.csv +++ b/server/src/main/resources/transport/upper_bounds/9.2.csv @@ -1 +1 @@ -inference_api_eis_diagnostics,9156000 +ml_inference_endpoint_cache,9157000