Allow fleet-server service account to setup Fleet (#78192)

This PR adds necessary application privilege for Kibana to allow
fleet-server service account to initiate the Fleet setup process.

Resolves: #78078

Author: ywangd

x-pack/docs/en/rest-api/security/get-service-accounts.asciidoc

@@ -97,7 +97,17 @@ GET /_security/service/elastic/fleet-server
           "allow_restricted_indices": true
         }
       ],
-      "applications": [],
+      "applications": [
+        {
+          "application" : "kibana-*",
+          "privileges" : [
+            "reserved_fleet-setup"
+          ],
+          "resources" : [
+            "*"
+          ]
+        }
+      ],
       "run_as": [],
       "metadata": {},
       "transient_metadata": {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

@@ -367,7 +367,7 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) {
                 "manage_pipeline", "manage_ilm",
                 // For the endpoint package that ships a transform
                 "manage_transform",
-                InvalidateApiKeyAction.NAME, "grant_api_key",
+                InvalidateApiKeyAction.NAME, "grant_api_key", "manage_own_api_key",
                 GetBuiltinPrivilegesAction.NAME, "delegate_pki",
                 // To facilitate ML UI functionality being controlled using Kibana security privileges
                 "manage_ml",

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

@@ -92,6 +92,10 @@
 import org.elasticsearch.xpack.core.ml.action.ExplainDataFrameAnalyticsAction;
 import org.elasticsearch.xpack.core.ml.action.FinalizeJobExecutionAction;
 import org.elasticsearch.xpack.core.rollup.action.GetRollupIndexCapsAction;
+import org.elasticsearch.xpack.core.security.action.CreateApiKeyAction;
+import org.elasticsearch.xpack.core.security.action.CreateApiKeyRequest;
+import org.elasticsearch.xpack.core.security.action.GetApiKeyRequest;
+import org.elasticsearch.xpack.core.security.action.apikey.QueryApiKeyRequest;
 import org.elasticsearch.xpack.core.textstructure.action.FindStructureAction;
 import org.elasticsearch.xpack.core.ml.action.FlushJobAction;
 import org.elasticsearch.xpack.core.ml.action.ForecastJobAction;
@@ -375,6 +379,17 @@ public void testKibanaSystemRole() {
         // API keys
         assertThat(kibanaRole.cluster().check(InvalidateApiKeyAction.NAME, request, authentication), is(true));
         assertThat(kibanaRole.cluster().check(GrantApiKeyAction.NAME, request, authentication), is(true));
+        final CreateApiKeyRequest createApiKeyRequest = new CreateApiKeyRequest(randomAlphaOfLength(8), null, null);
+        assertThat(kibanaRole.cluster().check(CreateApiKeyAction.NAME, createApiKeyRequest, authentication), is(true));
+        // Can only get and query its own API keys
+        assertThat(kibanaRole.cluster().check(CreateApiKeyAction.NAME, new GetApiKeyRequest(), authentication), is(false));
+        assertThat(kibanaRole.cluster().check(CreateApiKeyAction.NAME,
+            new GetApiKeyRequest(null, null, null, null, true), authentication),
+            is(true));
+        final QueryApiKeyRequest queryApiKeyRequest = new QueryApiKeyRequest();
+        assertThat(kibanaRole.cluster().check(CreateApiKeyAction.NAME, queryApiKeyRequest, authentication), is(false));
+        queryApiKeyRequest.setFilterForCurrentUser();
+        assertThat(kibanaRole.cluster().check(CreateApiKeyAction.NAME, queryApiKeyRequest, authentication), is(true));
 
         // ML
         assertRoleHasManageMl(kibanaRole);

x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java

@@ -113,7 +113,17 @@ public class ServiceAccountIT extends ESRestTestCase {
         + "          \"allow_restricted_indices\": true\n"
         + "        }\n"
         + "      ],\n"
-        + "      \"applications\": [],\n"
+        + "      \"applications\": ["
+        + "        {\n"
+        + "          \"application\" : \"kibana-*\",\n"
+        + "          \"privileges\" : [\n"
+        + "            \"reserved_fleet-setup\"\n"
+        + "          ],\n"
+        + "          \"resources\" : [\n"
+        + "            \"*\"\n"
+        + "          ]\n"
+        + "        }"
+        + "      ],\n"
         + "      \"run_as\": [],\n"
         + "      \"metadata\": {},\n"
         + "      \"transient_metadata\": {\n"

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java

@@ -39,7 +39,10 @@ final class ElasticServiceAccounts {
                     .allowRestrictedIndices(true)
                     .build()
             },
-            null,
+            new RoleDescriptor.ApplicationResourcePrivileges[]{
+                RoleDescriptor.ApplicationResourcePrivileges.builder()
+                    .application("kibana-*").resources("*").privileges("reserved_fleet-setup").build()
+            },
             null,
             null,
             null,

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java

@@ -96,6 +96,7 @@
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.core.security.authz.permission.Role;
+import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
 import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
 import org.elasticsearch.xpack.core.security.user.KibanaSystemUser;
 import org.elasticsearch.xpack.core.security.user.User;
@@ -127,7 +128,7 @@ public void testKibanaSystemPrivileges() {
         assertThat(serviceAccountRoleDescriptor.getMetadata(), equalTo(reservedRolesStoreRoleDescriptor.getMetadata()));
     }
 
-    public void testElasticFleetPrivileges() {
+    public void testElasticFleetServerPrivileges() {
         final Role role = Role.builder(
             ElasticServiceAccounts.ACCOUNTS.get("elastic/fleet-server").roleDescriptor(), null, RESTRICTED_INDICES_AUTOMATON).build();
         final Authentication authentication = mock(Authentication.class);
@@ -187,6 +188,24 @@ public void testElasticFleetPrivileges() {
             assertThat(role.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(dotFleetIndex), is(false));
             assertThat(role.indices().allowedIndicesMatcher("indices:foo").test(dotFleetIndex), is(false));
         });
+
+        final String kibanaApplication = "kibana-" + randomFrom(randomAlphaOfLengthBetween(8, 24), ".kibana");
+        final String privilegeName = randomAlphaOfLengthBetween(3, 16);
+        assertThat(role.application().grants(
+            new ApplicationPrivilege(
+                kibanaApplication, privilegeName, "reserved_fleet-setup"), "*"),
+            is(true));
+
+        final String otherApplication = randomValueOtherThanMany(s -> s.startsWith("kibana"),
+            () -> randomAlphaOfLengthBetween(3, 8)) + "-" + randomAlphaOfLengthBetween(8, 24);
+        assertThat(role.application().grants(
+                new ApplicationPrivilege(otherApplication, privilegeName, "reserved_fleet-setup"), "*"),
+            is(false));
+
+        assertThat(role.application().grants(
+            new ApplicationPrivilege(kibanaApplication, privilegeName,
+                randomArray(1, 5, String[]::new, () -> randomAlphaOfLengthBetween(3, 16))), "*"),
+            is(false));
     }
 
     public void testElasticServiceAccount() {