Grant kibana_system all access to .alerts* and .siem-signals* indices (…

…#72181) Co-authored-by: Devin W. Hurley <snowmiser111@gmail.com>
elastic · May 12, 2021 · 0bf1601 · 0bf1601
1 parent 1c6b4cb
commit 0bf1601
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -37,6 +37,8 @@
 import java.util.stream.Collectors;
 
 public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>> {
+ public static final String LEGACY_ALERTS_INDEX = ".siem-signals*";
+ public static final String ALERTS_INDEX = ".alerts*";
 
  public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor("superuser",
  new String[] { "all" },
@@ -172,6 +174,16 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
  RoleDescriptor.IndicesPrivileges.builder()
  .indices(".fleet*")
  .privileges("all").build(),
+ // Legacy "Alerts as data" index. Kibana user will create this index.
+ // Kibana user will read / write to these indices
+ RoleDescriptor.IndicesPrivileges.builder()
+ .indices(ReservedRolesStore.LEGACY_ALERTS_INDEX)
+ .privileges("all").build(),
+ // "Alerts as data" index. Kibana user will create this index.
+ // Kibana user will read / write to these indices
+ RoleDescriptor.IndicesPrivileges.builder()
+ .indices(ReservedRolesStore.ALERTS_INDEX)
+ .privileges("all").build()
  },
  null,
  new ConfigurableClusterPrivilege[] { new ManageApplicationPrivileges(Collections.singleton("kibana-*")) },

diff --git a/.../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/.../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -403,7 +403,9 @@ public void testKibanaSystemRole() {
  ".kibana-devnull",
  ".reporting-" + randomAlphaOfLength(randomIntBetween(0, 13)),
  ".apm-agent-configuration",
- ".apm-custom-link"
+ ".apm-custom-link",
+ ReservedRolesStore.LEGACY_ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
+ ReservedRolesStore.ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13))
  ).forEach((index) -> {
  logger.info("index name [{}]", index);
  assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(true));