removed unnecessary priviledges on .ml-anomalies-* for the kibana_system reserved role

Author: ogupte

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

@@ -130,13 +130,10 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                                 // APM custom link index creation
                                 RoleDescriptor.IndicesPrivileges.builder()
                                         .indices(".apm-custom-link").privileges("all").build(),
-                                // APM telemetry queries APM & ML anomalies indices in kibana task runner
+                                // APM telemetry queries APM indices in kibana task runner
                                 RoleDescriptor.IndicesPrivileges.builder()
                                     .indices("apm-*")
-                                    .privileges("read", "read_cross_cluster", "view_index_metadata").build(),
-                                RoleDescriptor.IndicesPrivileges.builder()
-                                    .indices(".ml-anomalies-*")
-                                    .privileges("read", "read_cross_cluster", "view_index_metadata").build(),
+                                    .privileges("read", "read_cross_cluster").build(),
                         },
                         null,
                         new ConfigurableClusterPrivilege[] { new ManageApplicationPrivileges(Collections.singleton("kibana-*")) },

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

@@ -397,14 +397,11 @@ public void testKibanaSystemRole() {
         });
 
         // read-only indices for APM telemetry
-        Arrays.asList(
-            "apm-*",
-            ".ml-anomalies-*"
-        ).forEach((index) -> {
+        Arrays.asList("apm-*").forEach((index) -> {
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(index), is(false));
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(index), is(false));
             assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(false));
-            assertThat(kibanaRole.indices().allowedIndicesMatcher(GetIndexAction.NAME).test(index), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(GetIndexAction.NAME).test(index), is(false));
             assertThat(kibanaRole.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(false));
             assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(false));
             assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(false));