Allow Kibana user to use the OpenID Connect APIs (#42305)

Add the manage_oidc privilege to the kibana user and to the role privileges list
elastic · May 22, 2019 · f007163 · f007163
1 parent e572214
commit f007163
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/...rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java b/...rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java
@@ -311,6 +311,7 @@ public static class ClusterPrivilegeName {
         public static final String TRANSPORT_CLIENT = "transport_client";
         public static final String MANAGE_SECURITY = "manage_security";
         public static final String MANAGE_SAML = "manage_saml";
+        public static final String MANAGE_OIDC = "manage_oidc";
         public static final String MANAGE_TOKEN = "manage_token";
         public static final String MANAGE_PIPELINE = "manage_pipeline";
         public static final String MANAGE_CCR = "manage_ccr";
@@ -319,7 +320,7 @@ public static class ClusterPrivilegeName {
         public static final String READ_ILM = "read_ilm";
         public static final String[] ALL_ARRAY = new String[] { NONE, ALL, MONITOR, MONITOR_ML, MONITOR_WATCHER, MONITOR_ROLLUP, MANAGE,
                 MANAGE_ML, MANAGE_WATCHER, MANAGE_ROLLUP, MANAGE_INDEX_TEMPLATES, MANAGE_INGEST_PIPELINES, TRANSPORT_CLIENT,
-                MANAGE_SECURITY, MANAGE_SAML, MANAGE_TOKEN, MANAGE_PIPELINE, MANAGE_CCR, READ_CCR, MANAGE_ILM, READ_ILM };
+            MANAGE_SECURITY, MANAGE_SAML, MANAGE_OIDC, MANAGE_TOKEN, MANAGE_PIPELINE, MANAGE_CCR, READ_CCR, MANAGE_ILM, READ_ILM};
     }
 
     /**

diff --git a/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -109,7 +109,7 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                         null))
                 .put(KibanaUser.ROLE_NAME, new RoleDescriptor(KibanaUser.ROLE_NAME,
                         new String[] {
-                            "monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml", "manage_token"
+                            "monitor", "manage_index_templates", MonitoringBulkAction.NAME, "manage_saml", "manage_token", "manage_oidc"
                         },
                         new RoleDescriptor.IndicesPrivileges[] {
                                 RoleDescriptor.IndicesPrivileges.builder()