From 2f2c4002df52f201e9f3ab3e5a474c8513358afb Mon Sep 17 00:00:00 2001
From: "opensearch-trigger-bot[bot]"
 <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com>
Date: Mon, 22 Aug 2022 09:35:56 -0400
Subject: [PATCH] Point in time API security changes (#2033) (#2037)

Signed-off-by: Bharathwaj G <bharath78910@gmail.com>
(cherry picked from commit 6b7a5869c84d453bb22be861a88b744512fa0d64)

Co-authored-by: Bharathwaj G <58062316+bharath-techie@users.noreply.github.com>
---
 .../static_config/static_action_groups.yml         | 14 +++++++++++---
 src/main/resources/static_config/static_roles.yml  |  2 +-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/main/resources/static_config/static_action_groups.yml b/src/main/resources/static_config/static_action_groups.yml
index 29a24fda2e..d0ce7613a2 100644
--- a/src/main/resources/static_config/static_action_groups.yml
+++ b/src/main/resources/static_config/static_action_groups.yml
@@ -116,7 +116,6 @@ cluster_composite_ops:
   - "indices:admin/aliases*"
   - "indices:data/write/reindex"
   - "cluster_composite_ops_ro"
-  - "indices:data/read/point_in_time/delete"
   type: "cluster"
   description: "Allow read/write bulk and m* operations"
 cluster_composite_ops_ro:
@@ -131,8 +130,6 @@ cluster_composite_ops_ro:
   - "indices:admin/aliases/get*"
   - "indices:data/read/scroll"
   - "indices:admin/resolve/index"
-  - "indices:data/read/point_in_time/read*"
-  - "indices:data/read/point_in_time/create"
   type: "cluster"
   description: "Allow readonly bulk and m* operations"
 get:
@@ -230,3 +227,14 @@ manage_data_streams:
   - "indices:monitor/data_stream/stats"
   type: "index"
   description: "Manage data streams"
+manage_point_in_time:
+  reserved: true
+  hidden: false
+  static: true
+  allowed_actions:
+    - "indices:data/read/point_in_time/create"
+    - "cluster:admin/point_in_time/delete"
+    - "cluster:admin/point_in_time/read*"
+    - "indices:monitor/point_in_time/segments"
+  type: "cluster"
+  description: "Manage point in time actions"
diff --git a/src/main/resources/static_config/static_roles.yml b/src/main/resources/static_config/static_roles.yml
index 21d7692a71..0d7f66531a 100644
--- a/src/main/resources/static_config/static_roles.yml
+++ b/src/main/resources/static_config/static_roles.yml
@@ -85,9 +85,9 @@ kibana_server:
   cluster_permissions:
   - "cluster_monitor"
   - "cluster_composite_ops"
+  - "manage_point_in_time"
   - "indices:admin/template*"
   - "indices:data/read/scroll*"
-  - "indices:data/read/point_in_time*"
   index_permissions:
   - index_patterns:
     - ".kibana"