[8.19] Return failure store privileges via get built-in privileges API (#125852) (#126019)

slobodanadamovic · web-flow · commit 1ec3feda0793 · 2025-05-08T18:55:55.000+10:00
* Return failure store privileges via get built-in privileges API (#125852) Return `read_failure_store` and `manage_failure_store` via `GET /_security/privilege/_builtin` API. * add failure store privileges to get-builtin-privileges API docs
diff --git a/docs/reference/rest-api/security/get-builtin-privileges.asciidoc b/docs/reference/rest-api/security/get-builtin-privileges.asciidoc
@@ -148,13 +148,15 @@ A successful call returns an object with "cluster", "index", and "remote_cluster
     "maintenance",
     "manage",
     "manage_data_stream_lifecycle",
+    "manage_failure_store",
     "manage_follow_index",
     "manage_ilm",
     "manage_leader_index",
     "monitor",
     "none",
     "read",
     "read_cross_cluster",
+    "read_failure_store",
     "view_index_metadata",
     "write"
   ],
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/privilege/RestGetBuiltinPrivilegesAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/privilege/RestGetBuiltinPrivilegesAction.java
@@ -28,9 +28,7 @@
 import org.elasticsearch.xpack.security.rest.action.SecurityBaseRestHandler;
 
 import java.io.IOException;
-import java.util.Arrays;
 import java.util.List;
-import java.util.Set;
 
 import static org.elasticsearch.rest.RestRequest.Method.GET;
 
@@ -41,8 +39,6 @@
 public class RestGetBuiltinPrivilegesAction extends SecurityBaseRestHandler {
 
     private static final Logger logger = LogManager.getLogger(RestGetBuiltinPrivilegesAction.class);
-    // TODO remove this once we can update docs tests again
-    private static final Set<String> FAILURE_STORE_PRIVILEGES_TO_EXCLUDE = Set.of("read_failure_store", "manage_failure_store");
     private final GetBuiltinPrivilegesResponseTranslator responseTranslator;
 
     public RestGetBuiltinPrivilegesAction(
@@ -75,20 +71,14 @@ public RestResponse buildResponse(GetBuiltinPrivilegesResponse response, XConten
                     final var translatedResponse = responseTranslator.translate(response);
                     builder.startObject();
                     builder.array("cluster", translatedResponse.getClusterPrivileges());
-                    builder.array("index", filterOutFailureStorePrivileges(translatedResponse));
+                    builder.array("index", translatedResponse.getIndexPrivileges());
                     String[] remoteClusterPrivileges = translatedResponse.getRemoteClusterPrivileges();
                     if (remoteClusterPrivileges.length > 0) { // remote clusters are not supported in stateless mode, so hide entirely
                         builder.array("remote_cluster", remoteClusterPrivileges);
                     }
                     builder.endObject();
                     return new RestResponse(RestStatus.OK, builder);
                 }
-
-                private static String[] filterOutFailureStorePrivileges(GetBuiltinPrivilegesResponse translatedResponse) {
-                    return Arrays.stream(translatedResponse.getIndexPrivileges())
-                        .filter(p -> false == FAILURE_STORE_PRIVILEGES_TO_EXCLUDE.contains(p))
-                        .toArray(String[]::new);
-                }
             }
         );
     }
diff --git a/x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/privileges/11_builtin.yml b/x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/privileges/11_builtin.yml
@@ -16,4 +16,4 @@ setup:
   # I would much prefer we could just check that specific entries are in the array, but we don't have
   # an assertion for that
   - length: { "cluster" : 62 }
-  - length: { "index" : 22 }
+  - length: { "index" : 24 }
