Create manage_connector privilege

docs/reference/rest-api/security/get-builtin-privileges.asciidoc

@@ -77,6 +77,7 @@ A successful call returns an object with "cluster", "index", and "remote_cluster
     "manage_autoscaling",
     "manage_behavioral_analytics",
     "manage_ccr",
+    "manage_connector",
     "manage_data_frame_transforms",
     "manage_data_stream_global_retention",
     "manage_enrich",
@@ -102,6 +103,7 @@ A successful call returns an object with "cluster", "index", and "remote_cluster
     "manage_user_profile",
     "manage_watcher",
     "monitor",
+    "monitor_connector",
     "monitor_data_frame_transforms",
     "monitor_data_stream_global_retention",
     "monitor_enrich",

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java

@@ -67,6 +67,7 @@
 import java.util.SortedMap;
 import java.util.TreeMap;
 import java.util.function.Predicate;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 /**
@@ -174,6 +175,23 @@ public class ClusterPrivilegeResolver {
     );
 
     private static final Set<String> MANAGE_SEARCH_APPLICATION_PATTERN = Set.of("cluster:admin/xpack/application/search_application/*");
+    private static final Set<String> MANAGE_CONNECTOR_PATTERN = Set.of("cluster:admin/xpack/connector/*");
+    private static final Set<String> MONITOR_CONNECTOR_PATTERN = Set.of(
+        "cluster:admin/xpack/connector/get",
+        "cluster:admin/xpack/connector/list",
+        "cluster:admin/xpack/connector/sync_job/get",
+        "cluster:admin/xpack/connector/sync_job/list"
+    );
+    private static final Set<String> READ_CONNECTOR_SECRETS_PATTERN = Set.of("cluster:admin/xpack/connector/secret/get");
+    private static final Set<String> WRITE_CONNECTOR_SECRETS_PATTERN = Set.of(
+        "cluster:admin/xpack/connector/secret/delete",
+        "cluster:admin/xpack/connector/secret/post",
+        "cluster:admin/xpack/connector/secret/put"
+    );
+    private static final Set<String> CONNECTOR_SECRETS_PATTERN = Stream.concat(
+        READ_CONNECTOR_SECRETS_PATTERN.stream(),
+        WRITE_CONNECTOR_SECRETS_PATTERN.stream()
+    ).collect(Collectors.toSet());
     private static final Set<String> MANAGE_SEARCH_QUERY_RULES_PATTERN = Set.of("cluster:admin/xpack/query_rules/*");
     private static final Set<String> MANAGE_SEARCH_SYNONYMS_PATTERN = Set.of(
         "cluster:admin/synonyms/*",
@@ -332,6 +350,15 @@ public class ClusterPrivilegeResolver {
         "manage_search_application",
         MANAGE_SEARCH_APPLICATION_PATTERN
     );
+    public static final NamedClusterPrivilege MANAGE_CONNECTOR = new ActionClusterPrivilege(
+        "manage_connector",
+        MANAGE_CONNECTOR_PATTERN,
+        CONNECTOR_SECRETS_PATTERN
+    );
+    public static final NamedClusterPrivilege MONITOR_CONNECTOR = new ActionClusterPrivilege(
+        "monitor_connector",
+        MONITOR_CONNECTOR_PATTERN
+    );
     public static final NamedClusterPrivilege MANAGE_SEARCH_SYNONYMS = new ActionClusterPrivilege(
         "manage_search_synonyms",
         MANAGE_SEARCH_SYNONYMS_PATTERN
@@ -362,16 +389,12 @@ public class ClusterPrivilegeResolver {
 
     public static final NamedClusterPrivilege READ_CONNECTOR_SECRETS = new ActionClusterPrivilege(
         "read_connector_secrets",
-        Set.of("cluster:admin/xpack/connector/secret/get")
+        READ_CONNECTOR_SECRETS_PATTERN
     );
 
     public static final NamedClusterPrivilege WRITE_CONNECTOR_SECRETS = new ActionClusterPrivilege(
         "write_connector_secrets",
-        Set.of(
-            "cluster:admin/xpack/connector/secret/delete",
-            "cluster:admin/xpack/connector/secret/post",
-            "cluster:admin/xpack/connector/secret/put"
-        )
+        WRITE_CONNECTOR_SECRETS_PATTERN
     );
     public static final NamedClusterPrivilege MONITOR_GLOBAL_RETENTION = new ActionClusterPrivilege(
         "monitor_data_stream_global_retention",
@@ -391,6 +414,7 @@ public class ClusterPrivilegeResolver {
             NONE,
             ALL,
             MONITOR,
+            MONITOR_CONNECTOR,
             MONITOR_INFERENCE,
             MONITOR_ML,
             MONITOR_TEXT_STRUCTURE,
@@ -400,6 +424,7 @@ public class ClusterPrivilegeResolver {
             MONITOR_ROLLUP,
             MONITOR_ENRICH,
             MANAGE,
+            MANAGE_CONNECTOR,
             MANAGE_INFERENCE,
             MANAGE_ML,
             MANAGE_TRANSFORM_DEPRECATED,

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java

@@ -73,6 +73,8 @@ static RoleDescriptor kibanaSystem(String name) {
                 // For Fleet package upgrade
                 "manage_pipeline",
                 "manage_ilm",
+                // For connectors telemetry
+                "monitor_connector",
                 // For the endpoint package that ships a transform
                 "manage_transform",
                 InvalidateApiKeyAction.NAME,

x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/privileges/11_builtin.yml

@@ -15,5 +15,5 @@ setup:
   # This is fragile - it needs to be updated every time we add a new cluster/index privilege
   # I would much prefer we could just check that specific entries are in the array, but we don't have
   # an assertion for that
-  - length: { "cluster" : 59 }
+  - length: { "cluster" : 61 }
   - length: { "index" : 22 }