From 0bf1601afdcee87ec9b94030c83b15ff2e3f1fe9 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Wed, 12 May 2021 10:02:14 +0300 Subject: [PATCH] Grant kibana_system all access to .alerts* and .siem-signals* indices (#72181) Co-authored-by: Devin W. Hurley --- .../security/authz/store/ReservedRolesStore.java | 12 ++++++++++++ .../authz/store/ReservedRolesStoreTests.java | 4 +++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index d15036ceec420..ae1bdba00bccc 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -37,6 +37,8 @@ import java.util.stream.Collectors; public class ReservedRolesStore implements BiConsumer, ActionListener> { + public static final String LEGACY_ALERTS_INDEX = ".siem-signals*"; + public static final String ALERTS_INDEX = ".alerts*"; public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor("superuser", new String[] { "all" }, @@ -172,6 +174,16 @@ private static Map initializeReservedRoles() { RoleDescriptor.IndicesPrivileges.builder() .indices(".fleet*") .privileges("all").build(), + // Legacy "Alerts as data" index. Kibana user will create this index. + // Kibana user will read / write to these indices + RoleDescriptor.IndicesPrivileges.builder() + .indices(ReservedRolesStore.LEGACY_ALERTS_INDEX) + .privileges("all").build(), + // "Alerts as data" index. Kibana user will create this index. + // Kibana user will read / write to these indices + RoleDescriptor.IndicesPrivileges.builder() + .indices(ReservedRolesStore.ALERTS_INDEX) + .privileges("all").build() }, null, new ConfigurableClusterPrivilege[] { new ManageApplicationPrivileges(Collections.singleton("kibana-*")) }, diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 6966040bdc63d..5a3c7ca31f11c 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -403,7 +403,9 @@ public void testKibanaSystemRole() { ".kibana-devnull", ".reporting-" + randomAlphaOfLength(randomIntBetween(0, 13)), ".apm-agent-configuration", - ".apm-custom-link" + ".apm-custom-link", + ReservedRolesStore.LEGACY_ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), + ReservedRolesStore.ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)) ).forEach((index) -> { logger.info("index name [{}]", index); assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(true));