Add connector permissions to fleet server service account

docs/reference/rest-api/security/get-service-accounts.asciidoc

@@ -66,7 +66,8 @@ GET /_security/service/elastic/fleet-server
       "cluster": [
         "monitor",
         "manage_own_api_key",
-        "read_fleet_secrets"
+        "read_fleet_secrets",
+        "cluster:admin/xpack/connector/*"
       ],
       "indices": [
         {
@@ -238,6 +239,35 @@ GET /_security/service/elastic/fleet-server
             "auto_configure"
           ],
           "allow_restricted_indices": false
+        },
+        {
+          "names": [
+            ".elastic-connectors*"
+          ],
+          "privileges": [
+            "read",
+            "write",
+            "monitor",
+            "create_index",
+            "auto_configure",
+            "maintenance"
+          ],
+          "allow_restricted_indices": false
+        },
+        {
+          "names": [
+            "content-*",
+            ".search-acl-filter-*"
+          ],
+          "privileges": [
+            "read",
+            "write",
+            "monitor",
+            "create_index",
+            "auto_configure",
+            "maintenance"
+          ],
+          "allow_restricted_indices": false
         }
       ],
       "applications": [

x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java

@@ -112,7 +112,8 @@ public class ServiceAccountIT extends ESRestTestCase {
               "cluster": [
                 "monitor",
                 "manage_own_api_key",
-                "read_fleet_secrets"
+                "read_fleet_secrets",
+                "cluster:admin/xpack/connector/*"
               ],
               "indices": [
                 {
@@ -284,6 +285,35 @@ public class ServiceAccountIT extends ESRestTestCase {
                     "auto_configure"
                   ],
                   "allow_restricted_indices": false
+                },
+                {
+                  "names": [
+                    ".elastic-connectors*"
+                  ],
+                  "privileges": [
+                    "read",
+                    "write",
+                    "monitor",
+                    "create_index",
+                    "auto_configure",
+                    "maintenance"
+                  ],
+                  "allow_restricted_indices": false
+                },
+                {
+                  "names": [
+                    "content-*",
+                    ".search-acl-filter-*"
+                  ],
+                  "privileges": [
+                    "read",
+                    "write",
+                    "monitor",
+                    "create_index",
+                    "auto_configure",
+                    "maintenance"
+                  ],
+                  "allow_restricted_indices": false
                 }
               ],
               "applications": [        {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java

@@ -81,7 +81,7 @@ final class ElasticServiceAccounts {
         "fleet-server",
         new RoleDescriptor(
             NAMESPACE + "/fleet-server",
-            new String[] { "monitor", "manage_own_api_key", "read_fleet_secrets" },
+            new String[] { "monitor", "manage_own_api_key", "read_fleet_secrets", "cluster:admin/xpack/connector/*" },
             new RoleDescriptor.IndicesPrivileges[] {
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(
@@ -156,7 +156,17 @@ final class ElasticServiceAccounts {
                     // Fleet Server needs "read" privilege to be able to retrieve multi-agent docs
                     .privileges("read", "write", "create_index", "auto_configure")
                     .allowRestrictedIndices(false)
-                    .build() },
+                    .build(),
+                // Custom permissions required for running Elastic connectors integration
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices(".elastic-connectors*")
+                    .privileges("read", "write", "monitor", "create_index", "auto_configure", "maintenance")
+                    .build(),
+                // Permissions for data indices and access control filters used by Elastic connectors integration
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices("content-*", ".search-acl-filter-*")
+                    .privileges("read", "write", "monitor", "create_index", "auto_configure", "maintenance")
+                    .build(), },
             new RoleDescriptor.ApplicationResourcePrivileges[] {
                 RoleDescriptor.ApplicationResourcePrivileges.builder()
                     .application("kibana-*")