Remove apm_user role (#116712)

Co-authored-by: Elastic Machine <[email protected]>
elastic · Nov 18, 2024 · e019fc0 · e019fc0
1 parent 5d9385f
commit e019fc0
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 149 deletions.
diff --git a/docs/reference/security/authorization/built-in-roles.asciidoc b/docs/reference/security/authorization/built-in-roles.asciidoc
@@ -14,11 +14,6 @@ roles have a fixed set of privileges and cannot be updated.
 Grants access necessary for the APM system user to send system-level data
 (such as monitoring) to {es}.
 
-[[built-in-roles-apm-user]] `apm_user` ::
-Grants the privileges required for APM users (such as `read` and
-`view_index_metadata` privileges on the `apm-*` and `.ml-anomalies*` indices).
-deprecated:[7.13.0,"See {kibana-ref}/apm-app-users.html[APM app users and privileges\] for alternatives."].
-
 [[built-in-roles-beats-admin]] `beats_admin` ::
 Grants access to the `.management-beats` index, which contains configuration
 information for the Beats.

diff --git a/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -402,67 +402,6 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                     "Grants access necessary for the APM system user to send system-level data (such as monitoring) to Elasticsearch.\n"
                 )
             ),
-            entry(
-                "apm_user",
-                new RoleDescriptor(
-                    "apm_user",
-                    null,
-                    new RoleDescriptor.IndicesPrivileges[] {
-                        // Self managed APM Server
-                        // Can be removed in 8.0
-                        RoleDescriptor.IndicesPrivileges.builder().indices("apm-*").privileges("read", "view_index_metadata").build(),
-
-                        // APM Server under fleet (data streams)
-                        RoleDescriptor.IndicesPrivileges.builder().indices("logs-apm.*").privileges("read", "view_index_metadata").build(),
-                        RoleDescriptor.IndicesPrivileges.builder().indices("logs-apm-*").privileges("read", "view_index_metadata").build(),
-                        RoleDescriptor.IndicesPrivileges.builder()
-                            .indices("metrics-apm.*")
-                            .privileges("read", "view_index_metadata")
-                            .build(),
-                        RoleDescriptor.IndicesPrivileges.builder()
-                            .indices("metrics-apm-*")
-                            .privileges("read", "view_index_metadata")
-                            .build(),
-                        RoleDescriptor.IndicesPrivileges.builder()
-                            .indices("traces-apm.*")
-                            .privileges("read", "view_index_metadata")
-                            .build(),
-                        RoleDescriptor.IndicesPrivileges.builder()
-                            .indices("traces-apm-*")
-                            .privileges("read", "view_index_metadata")
-                            .build(),
-
-                        // Machine Learning indices. Only needed for legacy reasons
-                        // Can be removed in 8.0
-                        RoleDescriptor.IndicesPrivileges.builder()
-                            .indices(".ml-anomalies*")
-                            .privileges("read", "view_index_metadata")
-                            .build(),
-
-                        // Annotations
-                        RoleDescriptor.IndicesPrivileges.builder()
-                            .indices("observability-annotations")
-                            .privileges("read", "view_index_metadata")
-                            .build() },
-                    new RoleDescriptor.ApplicationResourcePrivileges[] {
-                        RoleDescriptor.ApplicationResourcePrivileges.builder()
-                            .application("kibana-*")
-                            .resources("*")
-                            .privileges("reserved_ml_apm_user")
-                            .build() },
-                    null,
-                    null,
-                    MetadataUtils.getDeprecatedReservedMetadata(
-                        "This role will be removed in a future major release. Please use editor and viewer roles instead"
-                    ),
-                    null,
-                    null,
-                    null,
-                    null,
-                    "Grants the privileges required for APM users (such as read and view_index_metadata privileges "
-                        + "on the apm-* and .ml-anomalies* indices)."
-                )
-            ),
             entry(
                 "inference_admin",
                 new RoleDescriptor(

diff --git a/.../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/.../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -3058,89 +3058,6 @@ public void testAPMSystemRole() {
         assertNoAccessAllowed(APMSystemRole, XPackPlugin.ASYNC_RESULTS_INDEX + randomAlphaOfLengthBetween(0, 2));
     }
 
-    public void testAPMUserRole() {
-        final TransportRequest request = mock(TransportRequest.class);
-        final Authentication authentication = AuthenticationTestHelper.builder().build();
-
-        final RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("apm_user");
-        assertNotNull(roleDescriptor);
-        assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
-
-        final String allowedApplicationActionPattern = "example/custom/action/*";
-        final String kibanaApplicationWithRandomIndex = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana");
-        Role role = Role.buildFromRoleDescriptor(
-            roleDescriptor,
-            new FieldPermissionsCache(Settings.EMPTY),
-            RESTRICTED_INDICES,
-            List.of(
-                new ApplicationPrivilegeDescriptor(
-                    kibanaApplicationWithRandomIndex,
-                    "reserved_ml_apm_user",
-                    Set.of(allowedApplicationActionPattern),
-                    Map.of()
-                )
-            )
-        );
-
-        assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false));
-        assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 12)), is(false));
-
-        assertNoAccessAllowed(role, "foo");
-        assertNoAccessAllowed(role, "foo-apm");
-        assertNoAccessAllowed(role, "foo-logs-apm.bar");
-        assertNoAccessAllowed(role, "foo-logs-apm-bar");
-        assertNoAccessAllowed(role, "foo-traces-apm.bar");
-        assertNoAccessAllowed(role, "foo-traces-apm-bar");
-        assertNoAccessAllowed(role, "foo-metrics-apm.bar");
-        assertNoAccessAllowed(role, "foo-metrics-apm-bar");
-
-        assertOnlyReadAllowed(role, "logs-apm." + randomIntBetween(0, 5));
-        assertOnlyReadAllowed(role, "logs-apm-" + randomIntBetween(0, 5));
-        assertOnlyReadAllowed(role, "traces-apm." + randomIntBetween(0, 5));
-        assertOnlyReadAllowed(role, "traces-apm-" + randomIntBetween(0, 5));
-        assertOnlyReadAllowed(role, "metrics-apm." + randomIntBetween(0, 5));
-        assertOnlyReadAllowed(role, "metrics-apm-" + randomIntBetween(0, 5));
-        assertOnlyReadAllowed(role, "apm-" + randomIntBetween(0, 5));
-        assertOnlyReadAllowed(role, AnomalyDetectorsIndexFields.RESULTS_INDEX_PREFIX + AnomalyDetectorsIndexFields.RESULTS_INDEX_DEFAULT);
-
-        assertOnlyReadAllowed(role, "observability-annotations");
-
-        assertThat(
-            role.application().grants(ApplicationPrivilegeTests.createPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"),
-            is(false)
-        );
-        assertThat(
-            role.application()
-                .grants(
-                    ApplicationPrivilegeTests.createPrivilege(
-                        kibanaApplicationWithRandomIndex,
-                        "app-reserved_ml_apm_user",
-                        allowedApplicationActionPattern
-                    ),
-                    "*"
-                ),
-            is(true)
-        );
-
-        final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24);
-        assertThat(
-            role.application().grants(ApplicationPrivilegeTests.createPrivilege(otherApplication, "app-foo", "foo"), "*"),
-            is(false)
-        );
-        assertThat(
-            role.application()
-                .grants(
-                    ApplicationPrivilegeTests.createPrivilege(
-                        otherApplication,
-                        "app-reserved_ml_apm_user",
-                        allowedApplicationActionPattern
-                    ),
-                    "*"
-                ),
-            is(false)
-        );
-    }
-
     public void testMachineLearningAdminRole() {
         final TransportRequest request = mock(TransportRequest.class);
         final Authentication authentication = AuthenticationTestHelper.builder().build();