From f5f548f148be3728ac5d17a990b28fad4db80ede Mon Sep 17 00:00:00 2001
From: Daniel Mitterdorfer <danielmitterdorfer@users.noreply.github.com>
Date: Fri, 13 Oct 2023 07:30:13 +0200
Subject: [PATCH] Grant editor and viewer access to profiling (#100594)

With this commit we amend the `viewer` and `editor` roles so that access
to the index patterns related to Universal Profiling is possible. The
`editor` role gets the same permissions as `viewer` for these index
patterns because it does not make sense to write to these indices
directly (i.e. instead of the collector / symbolizer doing that).
---
 docs/changelog/100594.yaml                          |  5 +++++
 .../security/authz/store/ReservedRolesStore.java    | 13 +++++++++++++
 .../authz/store/ReservedRolesStoreTests.java        |  4 ++++
 3 files changed, 22 insertions(+)
 create mode 100644 docs/changelog/100594.yaml

diff --git a/docs/changelog/100594.yaml b/docs/changelog/100594.yaml
new file mode 100644
index 0000000000000..62d2a8933b9ad
--- /dev/null
+++ b/docs/changelog/100594.yaml
@@ -0,0 +1,5 @@
+pr: 100594
+summary: Grant editor and viewer access to profiling
+area: Authorization
+type: bug
+issues: []
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
index 2b5e34f4bd82d..3e4f71d25e656 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -61,6 +61,10 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
     /** "Security Solutions" only lists index for value list items for detections */
     public static final String LISTS_ITEMS_INDEX = ".items-*";
 
+    /** Index pattern for Universal Profiling */
+    public static final String UNIVERSAL_PROFILING_ALIASES = "profiling-*";
+    public static final String UNIVERSAL_PROFILING_BACKING_INDICES = ".profiling-*";
+
     public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor(
         "superuser",
         new String[] { "all" },
@@ -641,6 +645,11 @@ private static RoleDescriptor buildViewerRoleDescriptor() {
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices(ReservedRolesStore.ALERTS_INDEX_ALIAS, ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS)
                     .privileges("read", "view_index_metadata")
+                    .build(),
+                // Universal Profiling
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices(ReservedRolesStore.UNIVERSAL_PROFILING_ALIASES, ReservedRolesStore.UNIVERSAL_PROFILING_BACKING_INDICES)
+                    .privileges("read", "view_index_metadata")
                     .build() },
             new RoleDescriptor.ApplicationResourcePrivileges[] {
                 RoleDescriptor.ApplicationResourcePrivileges.builder()
@@ -684,6 +693,10 @@ private static RoleDescriptor buildEditorRoleDescriptor() {
                         ReservedRolesStore.PREVIEW_ALERTS_INDEX_ALIAS
                     )
                     .privileges("read", "view_index_metadata", "write", "maintenance")
+                    .build(),
+                RoleDescriptor.IndicesPrivileges.builder()
+                    .indices(ReservedRolesStore.UNIVERSAL_PROFILING_ALIASES, ReservedRolesStore.UNIVERSAL_PROFILING_BACKING_INDICES)
+                    .privileges("read", "view_index_metadata")
                     .build() },
             new RoleDescriptor.ApplicationResourcePrivileges[] {
                 RoleDescriptor.ApplicationResourcePrivileges.builder()
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
index e221403be7c51..c708b79f1e8c6 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -3057,6 +3057,8 @@ public void testPredefinedViewerRole() {
         assertOnlyReadAllowed(role, "packetbeat-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, "winlogbeat-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, "endgame-" + randomIntBetween(0, 5));
+        assertOnlyReadAllowed(role, "profiling-" + randomIntBetween(0, 5));
+        assertOnlyReadAllowed(role, ".profiling-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, randomAlphaOfLength(5));
 
         assertNoAccessAllowed(role, TestRestrictedIndices.SAMPLE_RESTRICTED_NAMES);
@@ -3124,6 +3126,8 @@ public void testPredefinedEditorRole() {
         assertOnlyReadAllowed(role, "packetbeat-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, "winlogbeat-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, "endgame-" + randomIntBetween(0, 5));
+        assertOnlyReadAllowed(role, "profiling-" + randomIntBetween(0, 5));
+        assertOnlyReadAllowed(role, ".profiling-" + randomIntBetween(0, 5));
         assertOnlyReadAllowed(role, randomAlphaOfLength(5));
 
         assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".siem-signals-" + randomIntBetween(0, 5));