Introduce new read_security cluster privilege (#89790)

This introduces a new built-in cluster privilege that allows all
read-only security-related operations. It also allows checking the user
and user profile privileges with the "has privilege" APIs.

Resolves #89245

docs/changelog/89790.yaml

@@ -0,0 +1,6 @@
+pr: 89790
+summary: Introduce the new `read_security` cluster privilege
+area: Authorization
+type: feature
+issues:
+ - 89245

x-pack/docs/en/rest-api/security/get-api-keys.asciidoc

@@ -15,9 +15,10 @@ Retrieves information for one or more API keys.
 [[security-api-get-api-key-prereqs]]
 ==== {api-prereq-title}
 
-* To use this API, you must have at least the `manage_own_api_key` cluster privilege.
+* To use this API, you must have at least the `manage_own_api_key` or the `read_security`
+cluster privileges.
 * If you have only the `manage_own_api_key` privilege, this API returns only
-the API keys that you own. If you have the `manage_api_key` or greater
+the API keys that you own. If you have `read_security`, `manage_api_key` or greater
 privileges (including `manage_security`), this API returns all API keys
 regardless of ownership.
 

x-pack/docs/en/rest-api/security/get-app-privileges.asciidoc

@@ -14,15 +14,15 @@ Retrieves <<application-privileges,application privileges>>.
 
 `GET /_security/privilege/<application>` +
 
-`GET /_security/privilege/<application>/<privilege>` 
+`GET /_security/privilege/<application>/<privilege>`
 
 
 [[security-api-get-privileges-prereqs]]
 ==== {api-prereq-title}
 
 To use this API, you must have either:
 
-- the `manage_security` cluster privilege (or a greater privilege such as `all`); _or_
+- the `read_security` cluster privilege (or a greater privilege such as `manage_security` or `all`); _or_
 - the _"Manage Application Privileges"_ global privilege for the application being referenced
   in the request
 
@@ -51,7 +51,7 @@ To check a user's application privileges, use the
 [[security-api-get-privileges-example]]
 ==== {api-examples-title}
 
-The following example retrieves information about the `read` privilege for the 
+The following example retrieves information about the `read` privilege for the
 `app01` application:
 
 [source,console]

x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc

@@ -19,8 +19,8 @@ available in this version of {es}.
 [[security-api-get-builtin-privileges-prereqs]]
 ==== {api-prereq-title}
 
-* To use this API, you must have - the `manage_security` cluster privilege
-(or a greater privilege such as `all`).
+* To use this API, you must have the `read_security` cluster privilege
+(or a greater privilege such as `manage_security` or `all`).
 
 [[security-api-get-builtin-privileges-desc]]
 ==== {api-description-title}
@@ -102,6 +102,7 @@ A successful call returns an object with "cluster" and "index" fields.
     "read_ccr",
     "read_ilm",
     "read_pipeline",
+    "read_security",
     "read_slm",
     "transport_client"
   ],

x-pack/docs/en/rest-api/security/get-role-mappings.asciidoc

@@ -12,17 +12,17 @@ Retrieves role mappings.
 
 `GET /_security/role_mapping` +
 
-`GET /_security/role_mapping/<name>` 
+`GET /_security/role_mapping/<name>`
 
 [[security-api-get-role-mapping-prereqs]]
 ==== {api-prereq-title}
 
-* To use this API, you must have at least the `manage_security` cluster privilege.
+* To use this API, you must have at least the `read_security` cluster privilege.
 
 [[security-api-get-role-mapping-desc]]
 ==== {api-description-title}
 
-Role mappings define which roles are assigned to each user. For more information, 
+Role mappings define which roles are assigned to each user. For more information,
 see <<mapping-roles>>.
 
 The role mapping APIs are generally the preferred way to manage role mappings
@@ -36,16 +36,16 @@ in role mapping files.
 `name`::
   (Optional, string) The distinct name that identifies the role mapping. The name
   is used solely as an identifier to facilitate interaction via the API; it does
-  not affect the behavior of the mapping in any way. You can specify multiple 
+  not affect the behavior of the mapping in any way. You can specify multiple
   mapping names as a comma-separated list. If you do not specify this
-  parameter, the API returns information about all role mappings. 
+  parameter, the API returns information about all role mappings.
 
 [[security-api-get-role-mapping-response-body]]
 ==== {api-response-body-title}
 
 A successful call retrieves an object, where the keys are the
-names of the request mappings, and the values are the JSON representation of 
-those mappings. For more information, see 
+names of the request mappings, and the values are the JSON representation of
+those mappings. For more information, see
 <<role-mapping-resources>>.
 
 [[security-api-get-role-mapping-response-codes]]

x-pack/docs/en/rest-api/security/get-roles.asciidoc

@@ -17,8 +17,7 @@ Retrieves roles in the native realm.
 [[security-api-get-role-prereqs]]
 ==== {api-prereq-title}
 
-* To use this API, you must have at least the `manage_security` cluster
-privilege.
+* To use this API, you must have at least the `read_security` cluster privilege.
 
 [[security-api-get-role-desc]]
 ==== {api-description-title}
@@ -31,10 +30,10 @@ API cannot retrieve roles that are defined in roles files.
 ==== {api-path-parms-title}
 
 `name`::
-  (Optional, string) The name of the role. You can specify multiple roles as a 
-  comma-separated list. If you do not specify this parameter, the API 
+  (Optional, string) The name of the role. You can specify multiple roles as a
+  comma-separated list. If you do not specify this parameter, the API
   returns information about all roles.
-  
+
 [[security-api-get-role-response-body]]
 ==== {api-response-body-title}
 
@@ -49,7 +48,7 @@ If the role is not defined in the native realm, the request returns 404.
 [[security-api-get-role-example]]
 ==== {api-examples-title}
 
-The following example retrieves information about the `my_admin_role` role in 
+The following example retrieves information about the `my_admin_role` role in
 the native realm:
 
 [source,console]

x-pack/docs/en/rest-api/security/get-service-credentials.asciidoc

@@ -16,16 +16,17 @@ Retrieves all service credentials for a  <<service-accounts,service account>>.
 [[security-api-get-service-credentials-prereqs]]
 ==== {api-prereq-title}
 
-* To use this API, you must have at least the `manage_service_account`
-<<privileges-list-cluster,cluster privilege>>.
+* To use this API, you must have at least the `read_security`
+<<privileges-list-cluster,cluster privilege>> (or a greater privilege
+such as `manage_service_account` or `manage_security`).
 
 [[security-api-get-service-credentials-desc]]
 ==== {api-description-title}
 
 Use this API to retrieve a list of credentials for a service account.
 The response includes service account tokens that were created with the
-<< create service account API >> as well as file-backed tokens from all
-nodes of the cluster.
+<<security-api-create-service-token,create service account tokens API>>
+as well as file-backed tokens from all nodes of the cluster.
 
 NOTE: For tokens backed by the `service_tokens` file, the API collects
 them from all nodes of the cluster. Tokens with the same name from

x-pack/docs/en/rest-api/security/get-user-profile.asciidoc

@@ -17,8 +17,9 @@ Retrieves user profiles using a list of unique profile ID.
 [[security-api-get-user-profile-prereqs]]
 ==== {api-prereq-title}
 
-* To use this API, you must have _at least_ the `manage_user_profile` cluster privilege.
-
+To use this API, you must have _at least_ the `read_security`
+<<privileges-list-cluster,cluster privilege>> (or a greater privilege
+such as `manage_user_profile` or `manage_security`).
 
 [[security-api-get-user-profile-desc]]
 ==== {api-description-title}

x-pack/docs/en/rest-api/security/get-users.asciidoc

@@ -5,27 +5,27 @@
 <titleabbrev>Get users</titleabbrev>
 ++++
 
-Retrieves information about users in the native realm and built-in users. 
+Retrieves information about users in the native realm and built-in users.
 
 
 [[security-api-get-user-request]]
 ==== {api-request-title}
 
 `GET /_security/user` +
 
-`GET /_security/user/<username>` 
+`GET /_security/user/<username>`
 
 [[security-api-get-user-prereqs]]
 ==== {api-prereq-title}
 
-* To use this API, you must have at least the `manage_security` cluster privilege.
+* To use this API, you must have at least the `read_security` cluster privilege.
 
 
 [[security-api-get-user-desc]]
 ==== {api-description-title}
 
-For more information about the native realm, see 
-<<realms>> and <<native-realm>>. 
+For more information about the native realm, see
+<<realms>> and <<native-realm>>.
 
 [[security-api-get-user-path-params]]
 ==== {api-path-parms-title}
@@ -60,7 +60,7 @@ GET /_security/user/jacknich
 
 [source,console-result]
 --------------------------------------------------
-{  
+{
   "jacknich": {
     "username": "jacknich",
     "roles": [

x-pack/docs/en/rest-api/security/has-privileges-user-profile.asciidoc

@@ -21,7 +21,9 @@ have all the requested privileges.
 [[security-api-has-privileges-user-profile-prereqs]]
 ==== {api-prereq-title}
 
-To use this API, you must have the `manage_user_profile` cluster privilege.
+To use this API, you must have _at least_ the `read_security`
+<<privileges-list-cluster,cluster privilege>> (or a greater privilege
+such as `manage_user_profile` or `manage_security`).
 
 [[security-api-has-privileges-user-profile-desc]]
 ==== {api-description-title}

x-pack/docs/en/rest-api/security/query-api-key.asciidoc

@@ -19,10 +19,10 @@ in a <<paginate-search-results,paginated>> fashion.
 [[security-api-query-api-key-prereqs]]
 ==== {api-prereq-title}
 
-* To use this API, you must have at least the `manage_own_api_key` cluster
-privilege.
+* To use this API, you must have at least the `manage_own_api_key` or the `read_security`
+cluster privileges.
 * If you have only the `manage_own_api_key` privilege, this API returns only
-the API keys that you own. If you have the `manage_api_key` or greater
+the API keys that you own. If you have the `read_security`, `manage_api_key` or greater
 privileges (including `manage_security`), this API returns all API keys
 regardless of ownership.
 

x-pack/docs/en/rest-api/security/suggest-user-profile.asciidoc

@@ -19,7 +19,9 @@ Get suggestions for user profiles that match specified search criteria.
 [[security-api-suggest-user-profile-prereqs]]
 ==== {api-prereq-title}
 
-To use this API, you must have the `manage_user_profile` cluster privilege.
+To use this API, you must have _at least_ the `read_security`
+<<privileges-list-cluster,cluster privilege>> (or a greater privilege
+such as `manage_user_profile` or `manage_security`).
 
 [[security-api-suggest-user-profile-query-params]]
 ==== {api-query-parms-title}

x-pack/docs/en/security/authorization/privileges.asciidoc

@@ -32,7 +32,10 @@ ability to manage security.
 `manage_api_key`::
 All security-related operations on {es} API keys including
 <<security-api-create-api-key,creating new API keys>>,
-<<security-api-get-api-key,retrieving information about API keys>>, and
+<<security-api-get-api-key,retrieving information about API keys>>,
+<<security-api-query-api-key,querying API keys>>,
+<<security-api-update-api-key,updating API key>>,
+<<security-api-bulk-update-api-keys,bulk updating API keys>>, and
 <<security-api-invalidate-api-key,invalidating API keys>>.
 +
 --
@@ -89,7 +92,10 @@ to initiate and manage OpenID Connect authentication on behalf of other users.
 All security-related operations on {es} API keys that are owned by the current
 authenticated user. The operations include
 <<security-api-create-api-key,creating new API keys>>,
-<<security-api-get-api-key,retrieving information about API keys>>, and
+<<security-api-get-api-key,retrieving information about API keys>>,
+<<security-api-query-api-key,querying API keys>>,
+<<security-api-update-api-key,updating API key>>,
+<<security-api-bulk-update-api-keys,bulk updating API keys>>, and
 <<security-api-invalidate-api-key,invalidating API keys>>.
 
 `manage_pipeline`::
@@ -176,6 +182,12 @@ Read-only access to ingest pipline (get, simulate).
 All read-only {slm-init} actions, such as getting policies and checking the
 {slm-init} status.
 
+`read_security`::
+All read-only security-related operations, such as getting users, user profiles,
+{es} API keys, {es} service accounts, roles and role mappings.
+Allows <<security-api-query-api-key,querying>> and <<security-api-get-api-key,retrieving information>>
+on all {es} API keys.
+
 `transport_client`::
 All privileges necessary for a transport client to connect. Required by the remote
 cluster to enable <<cross-cluster-configuring,{ccs}>>.

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java

@@ -28,11 +28,24 @@
 import org.elasticsearch.xpack.core.ilm.action.StartILMAction;
 import org.elasticsearch.xpack.core.ilm.action.StopILMAction;
 import org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationAction;
+import org.elasticsearch.xpack.core.security.action.apikey.GetApiKeyAction;
 import org.elasticsearch.xpack.core.security.action.apikey.GrantApiKeyAction;
+import org.elasticsearch.xpack.core.security.action.apikey.QueryApiKeyAction;
+import org.elasticsearch.xpack.core.security.action.privilege.GetBuiltinPrivilegesAction;
+import org.elasticsearch.xpack.core.security.action.privilege.GetPrivilegesAction;
+import org.elasticsearch.xpack.core.security.action.profile.GetProfilesAction;
+import org.elasticsearch.xpack.core.security.action.profile.SuggestProfilesAction;
+import org.elasticsearch.xpack.core.security.action.role.GetRolesAction;
+import org.elasticsearch.xpack.core.security.action.rolemapping.GetRoleMappingsAction;
 import org.elasticsearch.xpack.core.security.action.saml.SamlSpMetadataAction;
+import org.elasticsearch.xpack.core.security.action.service.GetServiceAccountAction;
+import org.elasticsearch.xpack.core.security.action.service.GetServiceAccountCredentialsAction;
 import org.elasticsearch.xpack.core.security.action.token.InvalidateTokenAction;
 import org.elasticsearch.xpack.core.security.action.token.RefreshTokenAction;
+import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesAction;
+import org.elasticsearch.xpack.core.security.action.user.GetUsersAction;
 import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
+import org.elasticsearch.xpack.core.security.action.user.ProfileHasPrivilegesAction;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.slm.action.GetSnapshotLifecycleAction;
 
@@ -174,6 +187,25 @@ public class ClusterPrivilegeResolver {
         ALL_SECURITY_PATTERN,
         Set.of(DelegatePkiAuthenticationAction.NAME)
     );
+    public static final NamedClusterPrivilege READ_SECURITY = new ActionClusterPrivilege(
+        "read_security",
+        Set.of(
+            GetApiKeyAction.NAME,
+            QueryApiKeyAction.NAME,
+            GetBuiltinPrivilegesAction.NAME,
+            GetPrivilegesAction.NAME,
+            GetProfilesAction.NAME,
+            ProfileHasPrivilegesAction.NAME,
+            SuggestProfilesAction.NAME,
+            GetRolesAction.NAME,
+            GetRoleMappingsAction.NAME,
+            GetServiceAccountAction.NAME,
+            GetServiceAccountCredentialsAction.NAME + "*",
+            GetUsersAction.NAME,
+            GetUserPrivilegesAction.NAME, // normally authorized under the "same-user" authz check, but added here for uniformity
+            HasPrivilegesAction.NAME
+        )
+    );
     public static final NamedClusterPrivilege MANAGE_SAML = new ActionClusterPrivilege("manage_saml", MANAGE_SAML_PATTERN);
     public static final NamedClusterPrivilege MANAGE_OIDC = new ActionClusterPrivilege("manage_oidc", MANAGE_OIDC_PATTERN);
     public static final NamedClusterPrivilege MANAGE_API_KEY = new ActionClusterPrivilege("manage_api_key", MANAGE_API_KEY_PATTERN);
@@ -239,6 +271,7 @@ public class ClusterPrivilegeResolver {
             READ_PIPELINE,
             TRANSPORT_CLIENT,
             MANAGE_SECURITY,
+            READ_SECURITY,
             MANAGE_SAML,
             MANAGE_OIDC,
             MANAGE_API_KEY,

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/user/HasPrivilegesRequestTests.java

@@ -94,6 +94,7 @@ private HasPrivilegesRequest randomRequest() {
                 ClusterPrivilegeResolver.MANAGE,
                 ClusterPrivilegeResolver.MANAGE_ML,
                 ClusterPrivilegeResolver.MANAGE_SECURITY,
+                ClusterPrivilegeResolver.READ_SECURITY,
                 ClusterPrivilegeResolver.MANAGE_PIPELINE,
                 ClusterPrivilegeResolver.ALL
             )