Extend kibana-system permissions to manage security entities (elastic#133968)

kubasobon · elasticsearchmachine · web-flow · commit bdbc642a31d9 · 2025-09-16T17:50:05.000+02:00
* extend kibana-system permissions for .entities.* indices

* trigger CI

* Update docs/changelog/133968.yaml

* update viewer/editor &amp; add reset management

* fix typos

* [CI] Auto commit changes from spotless

* extend validation exemption on .entities indices

* [CI] Update transport version definitions

---------

Co-authored-by: elasticsearchmachine &lt;infra-root+elasticsearchmachine@elastic.co&gt;
diff --git a/docs/changelog/133968.yaml b/docs/changelog/133968.yaml
@@ -0,0 +1,5 @@
+pr: 133968
+summary: Extend kibana-system permissions to manage security entities
+area: Infra/Core
+type: enhancement
+issues: []
diff --git a/modules/dot-prefix-validation/src/main/java/org/elasticsearch/validation/DotPrefixValidator.java b/modules/dot-prefix-validation/src/main/java/org/elasticsearch/validation/DotPrefixValidator.java
@@ -73,7 +73,7 @@ public abstract class DotPrefixValidator<RequestType> implements MappedActionFil
             "\\.ml-state-\\d+",
             "\\.slo-observability\\.sli-v\\d+.*",
             "\\.slo-observability\\.summary-v\\d+.*",
-            "\\.entities\\.v\\d+\\.latest\\..*",
+            "\\.entities\\.v\\d+\\..*",
             "\\.monitoring-es-8-.*",
             "\\.monitoring-logstash-8-.*",
             "\\.monitoring-kibana-8-.*",
diff --git a/modules/dot-prefix-validation/src/test/java/org/elasticsearch/validation/DotPrefixValidatorTests.java b/modules/dot-prefix-validation/src/test/java/org/elasticsearch/validation/DotPrefixValidatorTests.java
@@ -77,6 +77,10 @@ public void testValidation() {
         nonOpV.validateIndices(Set.of(".slo-observability.summary-v2.3-2024-01-01"));
         nonOpV.validateIndices(Set.of("<.slo-observability.summary-v3.3.{2024-10-16||/M{yyyy-MM-dd|UTC}}>"));
         nonOpV.validateIndices(Set.of(".entities.v1.latest.builtin_services_from_ecs_data"));
+        nonOpV.validateIndices(Set.of(".entities.v1.history.2025-09-16.security_host_default"));
+        nonOpV.validateIndices(Set.of(".entities.v2.history.2025-09-16.security_user_custom"));
+        nonOpV.validateIndices(Set.of(".entities.v5.reset.security_user_custom"));
+        nonOpV.validateIndices(Set.of(".entities.v1.latest.noop"));
         nonOpV.validateIndices(Set.of(".entities.v92.latest.eggplant.potato"));
         nonOpV.validateIndices(Set.of("<.entities.v12.latest.eggplant-{M{yyyy-MM-dd|UTC}}>"));
         nonOpV.validateIndices(Set.of(".monitoring-es-8-thing"));
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
@@ -595,7 +595,15 @@ static RoleDescriptor kibanaSystem(String name) {
                     .indices(".asset-criticality.asset-criticality-*")
                     .privileges("create_index", "manage", "read", "write")
                     .build(),
-                RoleDescriptor.IndicesPrivileges.builder().indices(".entities.v1.latest.security*").privileges("read", "write").build(),
+                RoleDescriptor.IndicesPrivileges.builder().indices(".entities.*").privileges("read", "write").build(),
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices(".entities.*history*")
+                    .privileges("create_index", "manage", "read", "write")
+                    .build(),
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices(".entities.*reset*")
+                    .privileges("create_index", "manage", "read", "write")
+                    .build(),
                 // For cloud_defend usageCollection
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("logs-cloud_defend.*", "metrics-cloud_defend.*")
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -77,6 +77,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
 
     /** "Security Solutions" Entity Store and Asset Criticality indices for Asset Inventory and Entity Analytics */
     public static final String ENTITY_STORE_V1_LATEST_INDEX = ".entities.v1.latest.security_*";
+    public static final String ENTITY_STORE_HISTORY_INDEX = ".entities.*.history.*";
     public static final String ASSET_CRITICALITY_INDEX = ".asset-criticality.asset-criticality-*";
 
     /** Index pattern for Universal Profiling */
@@ -780,6 +781,7 @@ private static RoleDescriptor buildViewerRoleDescriptor() {
                         ReservedRolesStore.LISTS_INDEX_REINDEXED_V8,
                         ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8,
                         ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX,
+                        ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX,
                         ReservedRolesStore.ASSET_CRITICALITY_INDEX
                     )
                     .privileges("read", "view_index_metadata")
@@ -849,7 +851,7 @@ private static RoleDescriptor buildEditorRoleDescriptor() {
                     .build(),
                 // Security - Entity Store is view only
                 RoleDescriptor.IndicesPrivileges.builder()
-                    .indices(ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX)
+                    .indices(ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX)
                     .privileges("read", "view_index_metadata")
                     .build(),
                 // Alerts-as-data
