From 55e7c27130574382565521f826cef60e7596faa6 Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Mon, 15 Nov 2021 17:35:35 -0500 Subject: [PATCH 1/3] adds preview index to reserved roles --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 4 ++++ .../core/security/authz/store/ReservedRolesStoreTests.java | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index b1f65884d5641..1d578fbdc2edd 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -42,6 +42,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene public static final String ALERTS_LEGACY_INDEX = ".siem-signals*"; public static final String ALERTS_BACKING_INDEX = ".internal.alerts*"; public static final String ALERTS_INDEX_ALIAS = ".alerts*"; + public static final String PREVIEW_ALERTS_INDEX_ALIAS = ".preview.alerts*"; public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor( "superuser", @@ -674,6 +675,9 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { // "Alerts as data" public index aliases used in Security Solution, Observability, etc. // Kibana system user uses them to read / write alerts. RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTS_INDEX_ALIAS).privileges("all").build(), + // "Alerts as data" public index alias used in Security Solution + // Kibana system user uses them to read / write alerts. + RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS).privileges("all").build(), // Endpoint / Fleet policy responses. Kibana requires read access to send telemetry RoleDescriptor.IndicesPrivileges.builder().indices("metrics-endpoint.policy-*").privileges("read").build(), // Endpoint metrics. Kibana requires read access to send telemetry diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index d8f961bf3f7be..c3f1c05141254 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -464,7 +464,8 @@ public void testKibanaSystemRole() { ".apm-custom-link", ReservedRolesStore.ALERTS_LEGACY_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), - ReservedRolesStore.ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)) + ReservedRolesStore.ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)), + ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)) ).forEach(index -> assertAllIndicesAccessAllowed(kibanaRole, index)); // read-only index access, including cross cluster From 9b7bc74f27633c120d8320526b462c1ffc5fcacd Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Fri, 19 Nov 2021 16:22:05 -0500 Subject: [PATCH 2/3] adds backing indices --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 4 ++++ .../core/security/authz/store/ReservedRolesStoreTests.java | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 1d578fbdc2edd..c3b4d4d3bb906 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -43,6 +43,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene public static final String ALERTS_BACKING_INDEX = ".internal.alerts*"; public static final String ALERTS_INDEX_ALIAS = ".alerts*"; public static final String PREVIEW_ALERTS_INDEX_ALIAS = ".preview.alerts*"; + public static final String PREVIEW_ALERTS_BACKING_INDEX_ALIAS = ".internal.preview.alerts*"; public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor( "superuser", @@ -678,6 +679,9 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { // "Alerts as data" public index alias used in Security Solution // Kibana system user uses them to read / write alerts. RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS).privileges("all").build(), + // "Alerts as data" internal backing indices used in Security Solution + // Kibana system user creates these indices; reads / writes to them via the aliases (see below). + RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_ALIAS).privileges("all").build(), // Endpoint / Fleet policy responses. Kibana requires read access to send telemetry RoleDescriptor.IndicesPrivileges.builder().indices("metrics-endpoint.policy-*").privileges("read").build(), // Endpoint metrics. Kibana requires read access to send telemetry diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index c3f1c05141254..b27d9f0786830 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -465,7 +465,8 @@ public void testKibanaSystemRole() { ReservedRolesStore.ALERTS_LEGACY_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)), - ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)) + ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)), + ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)) ).forEach(index -> assertAllIndicesAccessAllowed(kibanaRole, index)); // read-only index access, including cross cluster From 9b1cf55574e83007d92973b6b2a507d9f016dafb Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Fri, 19 Nov 2021 17:34:28 -0500 Subject: [PATCH 3/3] formats file --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index c3b4d4d3bb906..2844b086e2371 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -681,7 +681,10 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS).privileges("all").build(), // "Alerts as data" internal backing indices used in Security Solution // Kibana system user creates these indices; reads / writes to them via the aliases (see below). - RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_ALIAS).privileges("all").build(), + RoleDescriptor.IndicesPrivileges.builder() + .indices(ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_ALIAS) + .privileges("all") + .build(), // Endpoint / Fleet policy responses. Kibana requires read access to send telemetry RoleDescriptor.IndicesPrivileges.builder().indices("metrics-endpoint.policy-*").privileges("read").build(), // Endpoint metrics. Kibana requires read access to send telemetry