Skip to content

[Alerting V2] Update privileges for Alerting V2 indexes and views. #144313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adcoelho merged 7 commits into from
Mar 19, 2026
Merged

[Alerting V2] Update privileges for Alerting V2 indexes and views. #144313

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2f63792
Update privileges for Alerting V2 indexes and views.
adcoelho Mar 16, 2026
09f314b
[CI] Auto commit changes from spotless
Mar 16, 2026
b4516c2
Merge branch 'main' into alerting-v2-update-view-permissions
adcoelho Mar 17, 2026
3b2b548
Merge branch 'main' into alerting-v2-update-view-permissions
adcoelho Mar 17, 2026
9dd03a7
Merge branch 'main' into alerting-v2-update-view-permissions
adcoelho Mar 18, 2026
0e4a593
Merge branch 'main' into alerting-v2-update-view-permissions
adcoelho Mar 18, 2026
cbe235f
Merge branch 'main' into alerting-v2-update-view-permissions
adcoelho Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions ...org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ static RoleDescriptor kibanaSystem(String name) {
.build(),
// "Alerting V2" views prefix
RoleDescriptor.IndicesPrivileges.builder()
.indices(ReservedRolesStore.ALERTING_V2_VIEWS)
.indices(ReservedRolesStore.ALERTING_V2_ALERT_VIEWS, ReservedRolesStore.ALERTING_V2_RULE_VIEWS)
.privileges("indices:admin/esql/view/put") // TODO: use named index privilege when available in serverless
.build(),
// "Alerts as data" public index aliases used in Security Solution,
Expand All @@ -289,7 +289,14 @@ static RoleDescriptor kibanaSystem(String name) {
RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.CASES_ANALYTICS_INDEXES).privileges("all").build(),
RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.CASES_ANALYTICS_ALIASES).privileges("all").build(),
// "Alerting V2" indexes
RoleDescriptor.IndicesPrivileges.builder().indices(ReservedRolesStore.ALERTING_V2_INDEX_ALIAS).privileges("all").build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices(ReservedRolesStore.ALERTING_V2_ALERT_INDEX_ALIAS)
.privileges("all")
.build(),
RoleDescriptor.IndicesPrivileges.builder()
.indices(ReservedRolesStore.ALERTING_V2_RULE_INDEX_ALIAS)
.privileges("all")
.build(),
Copy link
Copy Markdown

@jeramysoucy jeramysoucy Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just leaving a breadcrumb here in regard to use of "all", since it usually something we try to avoid:

In this case, we're just updating the indices involved to accommodate a name change, so we're good 👍

// "Alerts as data" public index alias used in Security Solution
// Kibana system user uses them to read / write alerts.
RoleDescriptor.IndicesPrivileges.builder()
Expand Down
6 changes: 4 additions & 2 deletions ...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,10 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
public static final String ALERTS_INDEX_ALIAS = ".alerts*";

/** Alerting V2 - alert events and action indexes used by multiple solutions */
public static final String ALERTING_V2_INDEX_ALIAS = ".alerting*";
public static final String ALERTING_V2_VIEWS = "$.alerting*";
public static final String ALERTING_V2_ALERT_INDEX_ALIAS = ".alert*";
Copy link
Copy Markdown
Contributor Author

@adcoelho adcoelho Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be better to merge this with 53 since ALERTING_V2_ALERT_INDEX_ALIAS is a superset?

I assumed it would be better to have different variables for clarity.

public static final String ALERTING_V2_RULE_INDEX_ALIAS = ".rule*";
public static final String ALERTING_V2_ALERT_VIEWS = "$.alert*";
public static final String ALERTING_V2_RULE_VIEWS = "$.rule*";

/** Cases analytics indexes and aliases */
public static final String CASES_ANALYTICS_INDEXES = ".internal.cases*";
Expand Down
17 changes: 9 additions & 8 deletions .../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -628,7 +628,8 @@ public void testKibanaSystemRole() {
ReservedRolesStore.ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.ALERTS_BACKING_INDEX_REINDEXED + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.ALERTING_V2_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.ALERTING_V2_ALERT_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.ALERTING_V2_RULE_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
ReservedRolesStore.PREVIEW_ALERTS_BACKING_INDEX_REINDEXED + randomAlphaOfLength(randomIntBetween(0, 13)),
Expand All @@ -640,13 +641,13 @@ public void testKibanaSystemRole() {
).forEach(index -> assertAllIndicesAccessAllowed(kibanaRole, index));

// Alerting V2 views prefix: Kibana system user has create_view only
final IndexAbstraction alertingV2ViewsAbstraction = mockIndexAbstraction(
ReservedRolesStore.ALERTING_V2_VIEWS + randomAlphaOfLength(randomIntBetween(0, 13))
);
assertThat(
kibanaRole.indices().allowedIndicesMatcher(EsqlViewActionNames.ESQL_PUT_VIEW_ACTION_NAME).test(alertingV2ViewsAbstraction),
is(true)
);
Arrays.asList(ReservedRolesStore.ALERTING_V2_ALERT_VIEWS, ReservedRolesStore.ALERTING_V2_RULE_VIEWS).forEach(index -> {
final IndexAbstraction indexAbstraction = mockIndexAbstraction(index);
assertThat(
kibanaRole.indices().allowedIndicesMatcher(EsqlViewActionNames.ESQL_PUT_VIEW_ACTION_NAME).test(indexAbstraction),
is(true)
);
});

Arrays.asList(
ReservedRolesStore.ADHOC_ALERTS_INDEX_ALIAS + randomAlphaOfLength(randomIntBetween(0, 13)),
Expand Down
Loading