Granting kibana_system reserved role access to all privileges to .internal.alerts* (#76624) (#76635)

spong · banderror · web-flow · commit 46529f0006a2 · 2021-08-17T23:41:29.000-04:00
**Parent ticket:** elastic/kibana#101016 **Related to:** #72181 ## Summary Similar to the previous PR (#72181), we'd like to add privileges to a new set of indices to the `kibana_system` role. The reason for that is we need to have different naming schemes for alerts-as-data index aliases and backing indices pointing to these aliases, which in turn is needed to support backwards compatibility, migrations and reindexing in the future. We didn't want to prefix the backing indices with `.kibana-`, so we're adding a new `.internal.alerts` prefix. Prefixing with `.kibana-` would make them system indices, which means they would not be supposed to be read by end users, which is not what we want. `.internal` could become a universal prefix for hidden Kibana indices, but at this point I don't feel confident enough to generalise prematurely. Co-authored-by: Georgii Gorbachev <banderror@gmail.com>
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -37,8 +37,9 @@
 import java.util.stream.Collectors;
 
 public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>> {
-    public static final String LEGACY_ALERTS_INDEX = ".siem-signals*";
-    public static final String ALERTS_INDEX = ".alerts*";
+    public static final String ALERTS_LEGACY_INDEX = ".siem-signals*";
+    public static final String ALERTS_BACKING_INDEX = ".internal.alerts*";
+    public static final String ALERTS_INDEX_ALIAS = ".alerts*";
 
     public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor("superuser",
             new String[] { "all" },
@@ -422,15 +423,20 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) {
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(".fleet*")
                     .privileges("all").build(),
-                // Legacy "Alerts as data" index. Kibana user will create this index.
-                // Kibana user will read / write to these indices
+                // Legacy "Alerts as data" used in Security Solution.
+                // Kibana user creates these indices; reads / writes to them.
                 RoleDescriptor.IndicesPrivileges.builder()
-                    .indices(ReservedRolesStore.LEGACY_ALERTS_INDEX)
+                    .indices(ReservedRolesStore.ALERTS_LEGACY_INDEX)
                     .privileges("all").build(),
-                // "Alerts as data" index. Kibana user will create this index.
-                // Kibana user will read / write to these indices
+                // "Alerts as data" internal backing indices used in Security Solution, Observability, etc.
+                // Kibana system user creates these indices; reads / writes to them via the aliases (see below).
                 RoleDescriptor.IndicesPrivileges.builder()
-                    .indices(ReservedRolesStore.ALERTS_INDEX)
+                    .indices(ReservedRolesStore.ALERTS_BACKING_INDEX)
+                    .privileges("all").build(),
+                // "Alerts as data" public index aliases used in Security Solution, Observability, etc.
+                // Kibana system user uses them to read / write alerts.
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices(ReservedRolesStore.ALERTS_INDEX_ALIAS)
                     .privileges("all").build(),
                 // Endpoint / Fleet policy responses. Kibana requires read access to send telemetry
                 RoleDescriptor.IndicesPrivileges.builder()
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -404,8 +404,9 @@ public void testKibanaSystemRole() {
             ".reporting-" + randomAlphaOfLength(randomIntBetween(0, 13)),
             ".apm-agent-configuration",
             ".apm-custom-link",
-            ReservedRolesStore.LEGACY_ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
-            ReservedRolesStore.ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13))
+            ReservedRolesStore.ALERTS_LEGACY_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
+            ReservedRolesStore.ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
+            ReservedRolesStore.ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13))
         ).forEach((index) -> {
             logger.info("index name [{}]", index);
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(true));
