diff --git a/docs/reference/rest-api/security/get-builtin-privileges.asciidoc b/docs/reference/rest-api/security/get-builtin-privileges.asciidoc index bbd0ca03c0473..8435f5539ab9d 100644 --- a/docs/reference/rest-api/security/get-builtin-privileges.asciidoc +++ b/docs/reference/rest-api/security/get-builtin-privileges.asciidoc @@ -77,6 +77,7 @@ A successful call returns an object with "cluster", "index", and "remote_cluster "manage_autoscaling", "manage_behavioral_analytics", "manage_ccr", + "manage_connector", "manage_data_frame_transforms", "manage_data_stream_global_retention", "manage_enrich", @@ -102,6 +103,7 @@ A successful call returns an object with "cluster", "index", and "remote_cluster "manage_user_profile", "manage_watcher", "monitor", + "monitor_connector", "monitor_data_frame_transforms", "monitor_data_stream_global_retention", "monitor_enrich", diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java index 1b517bccf91c6..1cbe6c739a75f 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java @@ -67,6 +67,7 @@ import java.util.SortedMap; import java.util.TreeMap; import java.util.function.Predicate; +import java.util.stream.Collectors; import java.util.stream.Stream; /** @@ -174,6 +175,23 @@ public class ClusterPrivilegeResolver { ); private static final Set MANAGE_SEARCH_APPLICATION_PATTERN = Set.of("cluster:admin/xpack/application/search_application/*"); + private static final Set MANAGE_CONNECTOR_PATTERN = Set.of("cluster:admin/xpack/connector/*"); + private static final Set MONITOR_CONNECTOR_PATTERN = Set.of( + "cluster:admin/xpack/connector/get", + "cluster:admin/xpack/connector/list", + "cluster:admin/xpack/connector/sync_job/get", + "cluster:admin/xpack/connector/sync_job/list" + ); + private static final Set READ_CONNECTOR_SECRETS_PATTERN = Set.of("cluster:admin/xpack/connector/secret/get"); + private static final Set WRITE_CONNECTOR_SECRETS_PATTERN = Set.of( + "cluster:admin/xpack/connector/secret/delete", + "cluster:admin/xpack/connector/secret/post", + "cluster:admin/xpack/connector/secret/put" + ); + private static final Set CONNECTOR_SECRETS_PATTERN = Stream.concat( + READ_CONNECTOR_SECRETS_PATTERN.stream(), + WRITE_CONNECTOR_SECRETS_PATTERN.stream() + ).collect(Collectors.toSet()); private static final Set MANAGE_SEARCH_QUERY_RULES_PATTERN = Set.of("cluster:admin/xpack/query_rules/*"); private static final Set MANAGE_SEARCH_SYNONYMS_PATTERN = Set.of( "cluster:admin/synonyms/*", @@ -332,6 +350,15 @@ public class ClusterPrivilegeResolver { "manage_search_application", MANAGE_SEARCH_APPLICATION_PATTERN ); + public static final NamedClusterPrivilege MANAGE_CONNECTOR = new ActionClusterPrivilege( + "manage_connector", + MANAGE_CONNECTOR_PATTERN, + CONNECTOR_SECRETS_PATTERN + ); + public static final NamedClusterPrivilege MONITOR_CONNECTOR = new ActionClusterPrivilege( + "monitor_connector", + MONITOR_CONNECTOR_PATTERN + ); public static final NamedClusterPrivilege MANAGE_SEARCH_SYNONYMS = new ActionClusterPrivilege( "manage_search_synonyms", MANAGE_SEARCH_SYNONYMS_PATTERN @@ -362,16 +389,12 @@ public class ClusterPrivilegeResolver { public static final NamedClusterPrivilege READ_CONNECTOR_SECRETS = new ActionClusterPrivilege( "read_connector_secrets", - Set.of("cluster:admin/xpack/connector/secret/get") + READ_CONNECTOR_SECRETS_PATTERN ); public static final NamedClusterPrivilege WRITE_CONNECTOR_SECRETS = new ActionClusterPrivilege( "write_connector_secrets", - Set.of( - "cluster:admin/xpack/connector/secret/delete", - "cluster:admin/xpack/connector/secret/post", - "cluster:admin/xpack/connector/secret/put" - ) + WRITE_CONNECTOR_SECRETS_PATTERN ); public static final NamedClusterPrivilege MONITOR_GLOBAL_RETENTION = new ActionClusterPrivilege( "monitor_data_stream_global_retention", @@ -391,6 +414,7 @@ public class ClusterPrivilegeResolver { NONE, ALL, MONITOR, + MONITOR_CONNECTOR, MONITOR_INFERENCE, MONITOR_ML, MONITOR_TEXT_STRUCTURE, @@ -400,6 +424,7 @@ public class ClusterPrivilegeResolver { MONITOR_ROLLUP, MONITOR_ENRICH, MANAGE, + MANAGE_CONNECTOR, MANAGE_INFERENCE, MANAGE_ML, MANAGE_TRANSFORM_DEPRECATED, diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index 41da995797e29..a0fe3d09eccc7 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -73,6 +73,8 @@ static RoleDescriptor kibanaSystem(String name) { // For Fleet package upgrade "manage_pipeline", "manage_ilm", + // For connectors telemetry + "monitor_connector", // For the endpoint package that ships a transform "manage_transform", InvalidateApiKeyAction.NAME, diff --git a/x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/privileges/11_builtin.yml b/x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/privileges/11_builtin.yml index bb784f52884f6..ef8fab9ca7b6d 100644 --- a/x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/privileges/11_builtin.yml +++ b/x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/privileges/11_builtin.yml @@ -15,5 +15,5 @@ setup: # This is fragile - it needs to be updated every time we add a new cluster/index privilege # I would much prefer we could just check that specific entries are in the array, but we don't have # an assertion for that - - length: { "cluster" : 59 } + - length: { "cluster" : 61 } - length: { "index" : 22 }