[8.1] Add delete privilege to kibana_system for APM (#85085) (#85199)

* Add delete privilege to kibana_system for APM (#85085) * Add delete privilege to kibana_system for APM * Update docs/changelog/85085.yaml * Loosen APM data stream wildcards (To ensure we match future APM data streams as well.) * Fix trailing comma * Fix linting * Make data stream patterns more specific * Update docs/changelog/85199.yaml * Delete 85199.yaml
elastic · Mar 22, 2022 · 55b6a01 · 55b6a01
1 parent cd3e042
commit 55b6a01
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 17 deletions.
diff --git a/docs/changelog/85085.yaml b/docs/changelog/85085.yaml
@@ -0,0 +1,5 @@
+pr: 85085
+summary: Add delete privilege to `kibana_system` for APM
+area: Authorization
+type: bug
+issues: []
diff --git a/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -763,7 +763,15 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) {
                     .build(),
                 // For ILM policy for APM & Endpoint packages that have delete action
                 RoleDescriptor.IndicesPrivileges.builder()
-                    .indices(".logs-endpoint.diagnostic.collection-*", "traces-apm.sampled-*")
+                    .indices(
+                        ".logs-endpoint.diagnostic.collection-*",
+                        "logs-apm-*",
+                        "logs-apm.*-*",
+                        "metrics-apm-*",
+                        "metrics-apm.*-*",
+                        "traces-apm-*",
+                        "traces-apm.*-*"
+                    )
                     .privileges(DeleteIndexAction.NAME)
                     .build(),
                 // For src/dest indices of the Endpoint package that ships a transform

diff --git a/.../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/.../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -775,9 +775,14 @@ public void testKibanaSystemRole() {
             assertThat(kibanaRole.indices().allowedIndicesMatcher(SearchAction.NAME).test(indexAbstraction), is(isAlsoReadIndex));
             assertThat(kibanaRole.indices().allowedIndicesMatcher(MultiSearchAction.NAME).test(indexAbstraction), is(isAlsoReadIndex));
 
-            // Endpoint diagnostic and sampled traces data streams also have an ILM policy with a delete action, all others should not.
+            // Endpoint diagnostic and APM data streams also have an ILM policy with a delete action, all others should not.
             final boolean isAlsoIlmDeleteIndex = indexName.startsWith(".logs-endpoint.diagnostic.collection-")
-                || indexName.startsWith("traces-apm.sampled-");
+                || indexName.startsWith("logs-apm-")
+                || indexName.startsWith("logs-apm.")
+                || indexName.startsWith("metrics-apm-")
+                || indexName.startsWith("metrics-apm.")
+                || indexName.startsWith("traces-apm-")
+                || indexName.startsWith("traces-apm.");
             assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(isAlsoIlmDeleteIndex));
         });
 
@@ -838,28 +843,21 @@ public void testKibanaSystemRole() {
         });
 
         // Ensure privileges necessary for ILM policies in APM & Endpoint packages
-        Arrays.asList(
-            "metrics-apm.app-" + randomAlphaOfLengthBetween(3, 8),
-            "metrics-apm.internal-" + randomAlphaOfLengthBetween(3, 8),
-            "metrics-apm.profiling-" + randomAlphaOfLengthBetween(3, 8),
-            "logs-apm.error_logs-" + randomAlphaOfLengthBetween(3, 8),
-            "traces-apm-" + randomAlphaOfLengthBetween(3, 8)
-        ).forEach(indexName -> {
-            logger.info("index name [{}]", indexName);
-            final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);
-
-            assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));
-            assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
-        });
         Arrays.asList(
             ".logs-endpoint.diagnostic.collection-" + randomAlphaOfLengthBetween(3, 8),
-            "traces-apm.sampled-" + randomAlphaOfLengthBetween(3, 8)
+            "logs-apm-" + randomAlphaOfLengthBetween(3, 8),
+            "logs-apm." + randomAlphaOfLengthBetween(3, 8) + "-" + randomAlphaOfLengthBetween(3, 8),
+            "metrics-apm-" + randomAlphaOfLengthBetween(3, 8),
+            "metrics-apm." + randomAlphaOfLengthBetween(3, 8) + "-" + randomAlphaOfLengthBetween(3, 8),
+            "traces-apm-" + randomAlphaOfLengthBetween(3, 8),
+            "traces-apm." + randomAlphaOfLengthBetween(3, 8) + "-" + randomAlphaOfLengthBetween(3, 8)
         ).forEach(indexName -> {
             logger.info("index name [{}]", indexName);
             final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName);
 
             assertThat(kibanaRole.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(indexAbstraction), is(true));
             assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
+            assertThat(kibanaRole.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(indexAbstraction), is(true));
         });
     }