From d559964bb385f0abdab31045b56bc286b5605a8d Mon Sep 17 00:00:00 2001 From: Ievgen Sorokopud Date: Thu, 24 Apr 2025 14:27:31 +0200 Subject: [PATCH 1/6] Granting `kibana_system` reserved role access to "all" privileges to `.adhoc.alerts*` and `.internal.adhoc.alerts*` indices --- .../store/KibanaOwnedReservedRoleDescriptors.java | 6 ++++++ .../core/security/authz/store/ReservedRolesStore.java | 10 ++++++++-- .../security/authz/store/ReservedRolesStoreTests.java | 2 ++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index 06af3749c7e5c..7ff317e4edbfb 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -265,6 +265,12 @@ static RoleDescriptor kibanaSystem(String name) { RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTS_INDEX_ALIAS).privileges("all").build(), // "Alerts as data" public index alias used in Security Solution // Kibana system user uses them to read / write alerts. + RoleDescriptor.IndicesPrivileges.builder() + .indices(ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX, ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS) + .privileges("all") + .build(), + // "Alerts as data" public index alias used in Security Solution + // Kibana system user uses them to read / write alerts. RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS).privileges("all").build(), // "Alerts as data" internal backing indices used in Security Solution // Kibana system user creates these indices; reads / writes to them via the diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 1ec1d5912db68..90289f139232c 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -59,6 +59,10 @@ public class ReservedRolesStore implements BiConsumer, ActionListene public static final String PREVIEW_ALERTS_BACKING_INDEX = ".internal.preview.alerts*"; public static final String PREVIEW_ALERTS_BACKING_INDEX_REINDEXED = ".reindexed-v8-internal.preview.alerts*"; + /** "Attack Discovery" ad-hoc alerts index */ + public static final String ADHOC_ALERTS_INDEX_ALIAS = ".adhoc.alerts*"; + public static final String ADHOC_ALERTS_BACKING_INDEX = ".internal.adhoc.alerts*"; + /** "Security Solutions" only lists index for value lists for detections */ public static final String LISTS_INDEX = ".lists-*"; public static final String LISTS_INDEX_REINDEXED_V8 = ".reindexed-v8-lists-*"; @@ -782,7 +786,7 @@ private static RoleDescriptor buildViewerRoleDescriptor() { .build(), // Alerts-as-data RoleDescriptor.IndicesPrivileges.builder() - .indices(ReservedRolesStore.ALERTS_INDEX_ALIAS, ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS) + .indices(ReservedRolesStore.ALERTS_INDEX_ALIAS, ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS, ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS) .privileges("read", "view_index_metadata") .build(), // Universal Profiling @@ -846,7 +850,9 @@ private static RoleDescriptor buildEditorRoleDescriptor() { ReservedRolesStore.ALERTS_INDEX_ALIAS, ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX, ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_REINDEXED, - ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS + ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS, + ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX, + ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS ) .privileges("read", "view_index_metadata", "write", "maintenance") .build(), diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index f8ac34ae4239f..99d01ce01f1f9 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -617,6 +617,8 @@ public void testKibanaSystemRole() { ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_REINDEXED + randomAlphaOfLength(randomIntBetween(0, 13)), + ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)), + ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.LISTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.LISTS_INDEX_REINDEXED_V8 + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.LISTS_ITEMS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), From 59667876b72b15af6d6c0ad04e4684b43bdf5d33 Mon Sep 17 00:00:00 2001 From: Ievgen Sorokopud Date: Thu, 24 Apr 2025 15:00:18 +0200 Subject: [PATCH 2/6] Update docs/changelog/127321.yaml --- docs/changelog/127321.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 docs/changelog/127321.yaml diff --git a/docs/changelog/127321.yaml b/docs/changelog/127321.yaml new file mode 100644 index 0000000000000..16191d9c34442 --- /dev/null +++ b/docs/changelog/127321.yaml @@ -0,0 +1,6 @@ +pr: 127321 +summary: Granting `kibana_system` reserved role access to "all" privileges to `.adhoc.alerts*` + and `.internal.adhoc.alerts*` indices +area: Authorization +type: enhancement +issues: [] From 9a47df2b103139825a33ce972ae4d965cac9a853 Mon Sep 17 00:00:00 2001 From: elasticsearchmachine Date: Thu, 24 Apr 2025 13:10:15 +0000 Subject: [PATCH 3/6] [CI] Auto commit changes from spotless --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 90289f139232c..2ef1289a56a8d 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -786,7 +786,11 @@ private static RoleDescriptor buildViewerRoleDescriptor() { .build(), // Alerts-as-data RoleDescriptor.IndicesPrivileges.builder() - .indices(ReservedRolesStore.ALERTS_INDEX_ALIAS, ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS, ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS) + .indices( + ReservedRolesStore.ALERTS_INDEX_ALIAS, + ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS, + ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS + ) .privileges("read", "view_index_metadata") .build(), // Universal Profiling From 49cf63d05e156e2c0aeb58e71702f5b04e38eebd Mon Sep 17 00:00:00 2001 From: Ievgen Sorokopud Date: Thu, 8 May 2025 15:54:21 +0200 Subject: [PATCH 4/6] Replace `"all"` with the specific privileges for the `kibana_system` role --- .../authz/store/KibanaOwnedReservedRoleDescriptors.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index 5e387d43c8e99..3c4b26a862563 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -267,7 +267,7 @@ static RoleDescriptor kibanaSystem(String name) { // Kibana system user uses them to read / write alerts. RoleDescriptor.IndicesPrivileges.builder() .indices(ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX, ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS) - .privileges("all") + .privileges("create_index", "manage", "read", "write") .build(), // "Alerts as data" public index alias used in Security Solution // Kibana system user uses them to read / write alerts. From 5231345690ebf7bb3b2c91176c74c4ed3d315681 Mon Sep 17 00:00:00 2001 From: Ievgen Sorokopud Date: Thu, 8 May 2025 17:39:29 +0200 Subject: [PATCH 5/6] Fix tests --- .../authz/store/ReservedRolesStoreTests.java | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 99d01ce01f1f9..3479a6f73c2f5 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -617,8 +617,6 @@ public void testKibanaSystemRole() { ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_REINDEXED + randomAlphaOfLength(randomIntBetween(0, 13)), - ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)), - ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.LISTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.LISTS_INDEX_REINDEXED_V8 + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.LISTS_ITEMS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), @@ -626,6 +624,16 @@ public void testKibanaSystemRole() { ".slo-observability." + randomAlphaOfLength(randomIntBetween(0, 13)) ).forEach(index -> assertAllIndicesAccessAllowed(kibanaRole, index)); + Arrays.asList( + ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)), + ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)) + ).forEach(index -> { + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportCreateIndexAction.TYPE.name()).test(index), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportSearchAction.TYPE.name()).test(index), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportUpdateAction.TYPE.name()).test(index), is(true)); + assertViewIndexMetadata(kibanaRole, index); + }); + // read-only index access, including cross cluster Arrays.asList(".monitoring-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((index) -> { logger.info("index name [{}]", index); From c0df6dd4baf6832d3f5991063e592d6b35af09cd Mon Sep 17 00:00:00 2001 From: Ievgen Sorokopud Date: Thu, 8 May 2025 18:24:50 +0200 Subject: [PATCH 6/6] Fix CI --- .../core/security/authz/store/ReservedRolesStoreTests.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 3479a6f73c2f5..2d16d210e089f 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -628,9 +628,10 @@ public void testKibanaSystemRole() { ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)), ReservedRolesStore.ADHOC_ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)) ).forEach(index -> { - assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportCreateIndexAction.TYPE.name()).test(index), is(true)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportSearchAction.TYPE.name()).test(index), is(true)); - assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportUpdateAction.TYPE.name()).test(index), is(true)); + final IndexAbstraction indexAbstraction = mockIndexAbstraction(index); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportCreateIndexAction.TYPE.name()).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportSearchAction.TYPE.name()).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportUpdateAction.TYPE.name()).test(indexAbstraction), is(true)); assertViewIndexMetadata(kibanaRole, index); });