WIldcard IndicesPermissions don't cover .security

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

@@ -12,6 +12,7 @@
 import org.elasticsearch.xpack.core.security.authz.permission.Role;
 import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivilege;
 import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivileges.ManageApplicationPrivileges;
+import org.elasticsearch.xpack.core.security.index.SystemIndicesNames;
 import org.elasticsearch.xpack.core.security.support.MetadataUtils;
 import org.elasticsearch.xpack.core.security.user.KibanaUser;
 import org.elasticsearch.xpack.core.security.user.UsernamesField;
@@ -32,7 +33,9 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
     public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor("superuser",
             new String[] { "all" },
             new RoleDescriptor.IndicesPrivileges[] {
-                    RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("all").build()},
+                    RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("all").build(),
+                    RoleDescriptor.IndicesPrivileges.builder().indices(SystemIndicesNames.indexNames().toArray(new String[0]))
+                            .privileges("all").build() },
             new RoleDescriptor.ApplicationResourcePrivileges[] {
                 RoleDescriptor.ApplicationResourcePrivileges.builder().application("*").privileges("*").resources("*").build()
             },
@@ -43,11 +46,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
 
     private static Map<String, RoleDescriptor> initializeReservedRoles() {
         return MapBuilder.<String, RoleDescriptor>newMapBuilder()
-                .put("superuser", new RoleDescriptor("superuser", new String[] { "all" },
-                        new RoleDescriptor.IndicesPrivileges[] {
-                                RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("all").build()},
-                        new String[] { "*" },
-                        MetadataUtils.DEFAULT_RESERVED_METADATA))
+                .put("superuser", SUPERUSER_ROLE_DESCRIPTOR)
                 .put("transport_client", new RoleDescriptor("transport_client", new String[] { "transport_client" }, null, null,
                         MetadataUtils.DEFAULT_RESERVED_METADATA))
                 .put("kibana_user", new RoleDescriptor("kibana_user", null, new RoleDescriptor.IndicesPrivileges[] {
@@ -83,6 +82,8 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                         },
                         new RoleDescriptor.IndicesPrivileges[] {
                             RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("monitor").build(),
+                            RoleDescriptor.IndicesPrivileges.builder().indices(SystemIndicesNames.indexNames().toArray(new String[0]))
+                                .privileges("monitor").build(),
                             RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("read").build()
                         },
                         null,

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/index/SystemIndicesNames.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.core.security.index;
+
+import org.elasticsearch.xpack.core.upgrade.IndexUpgradeCheckVersion;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+public final class SystemIndicesNames {
+
+    public static final String AUDIT_INDEX_NAME_PREFIX = ".security_audit_log";
+    public static final String INTERNAL_SECURITY_INDEX = ".security-" + IndexUpgradeCheckVersion.UPRADE_VERSION;
+    public static final String SECURITY_INDEX_NAME = ".security";
+    private static final Set<String> index_names;
+
+    static {
+        Set<String> indexNames = new HashSet<>();
+        indexNames.add(SECURITY_INDEX_NAME);
+        indexNames.add(INTERNAL_SECURITY_INDEX);
+        index_names = Collections.unmodifiableSet(indexNames);
+    }
+
+    public static Set<String> indexNames() {
+        return index_names;
+    }
+
+    private SystemIndicesNames() {
+    }
+
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/XPackUser.java

@@ -7,7 +7,7 @@
 
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.core.security.authz.permission.Role;
-import org.elasticsearch.xpack.core.security.index.IndexAuditTrailField;
+import org.elasticsearch.xpack.core.security.index.SystemIndicesNames;
 import org.elasticsearch.xpack.core.security.support.MetadataUtils;
 
 /**
@@ -20,7 +20,7 @@ public class XPackUser extends User {
     public static final Role ROLE = Role.builder(new RoleDescriptor(ROLE_NAME, new String[] { "all" },
             new RoleDescriptor.IndicesPrivileges[] {
                     RoleDescriptor.IndicesPrivileges.builder().indices("/@&~(\\.security.*)/").privileges("all").build(),
-                    RoleDescriptor.IndicesPrivileges.builder().indices(IndexAuditTrailField.INDEX_NAME_PREFIX + "-*")
+                    RoleDescriptor.IndicesPrivileges.builder().indices(SystemIndicesNames.AUDIT_INDEX_NAME_PREFIX + "-*")
                             .privileges("read").build()
             },
             new String[] { "*" },