From 791235f6da9e8581521ae13c1114a4c0ddb0d16f Mon Sep 17 00:00:00 2001 From: abhishekbhatia1710 Date: Fri, 12 Sep 2025 14:35:37 +0530 Subject: [PATCH 1/3] Code changes to add Privileged User Monitoring index in the Reserved roles store. --- .../xpack/core/security/authz/store/ReservedRolesStore.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index dc3db9d5c88df..deb3138d895bc 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -78,6 +78,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene /** "Security Solutions" Entity Store and Asset Criticality indices for Asset Inventory and Entity Analytics */ public static final String ENTITY_STORE_V1_LATEST_INDEX = ".entities.v1.latest.security_*"; public static final String ASSET_CRITICALITY_INDEX = ".asset-criticality.asset-criticality-*"; + public static final String PRIVILEGED_USER_MONITORING_INDEX = ".entity_analytics.monitoring*"; /** Index pattern for Universal Profiling */ public static final String UNIVERSAL_PROFILING_ALIASES = "profiling-*"; @@ -780,7 +781,8 @@ private static RoleDescriptor buildViewerRoleDescriptor() { ReservedRolesStore.LISTS_INDEX_REINDEXED_V8, ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8, ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, - ReservedRolesStore.ASSET_CRITICALITY_INDEX + ReservedRolesStore.ASSET_CRITICALITY_INDEX, + ReservedRolesStore.PRIVILEGED_USER_MONITORING_INDEX ) .privileges("read", "view_index_metadata") .build(), @@ -849,7 +851,7 @@ private static RoleDescriptor buildEditorRoleDescriptor() { .build(), // Security - Entity Store is view only RoleDescriptor.IndicesPrivileges.builder() - .indices(ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX) + .indices(ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, ReservedRolesStore.PRIVILEGED_USER_MONITORING_INDEX) .privileges("read", "view_index_metadata") .build(), // Alerts-as-data From 8e9b817d2cd96d364a1c9fd9857b08efbebb379d Mon Sep 17 00:00:00 2001 From: abhishekbhatia1710 Date: Mon, 29 Sep 2025 19:08:54 +0530 Subject: [PATCH 2/3] Fixing compilation errors --- .../core/security/authz/store/ReservedRolesStore.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 16be19be886e8..8c76c630049ce 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -783,8 +783,8 @@ private static RoleDescriptor buildViewerRoleDescriptor() { ReservedRolesStore.LISTS_ITEMS_INDEX_REINDEXED_V8, ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, ReservedRolesStore.ASSET_CRITICALITY_INDEX, - ReservedRolesStore.PRIVILEGED_USER_MONITORING_INDEX - ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX, + ReservedRolesStore.PRIVILEGED_USER_MONITORING_INDEX, + ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX ) .privileges("read", "view_index_metadata") .build(), @@ -853,7 +853,11 @@ private static RoleDescriptor buildEditorRoleDescriptor() { .build(), // Security - Entity Store is view only RoleDescriptor.IndicesPrivileges.builder() - .indices(ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, ReservedRolesStore.PRIVILEGED_USER_MONITORING_INDEX, ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX) + .indices( + ReservedRolesStore.ENTITY_STORE_V1_LATEST_INDEX, + ReservedRolesStore.PRIVILEGED_USER_MONITORING_INDEX, + ReservedRolesStore.ENTITY_STORE_HISTORY_INDEX + ) .privileges("read", "view_index_metadata") .build(), // Alerts-as-data From aa3bccef8373a0bc919dfabd456f0f5e433100fe Mon Sep 17 00:00:00 2001 From: abhishekbhatia1710 Date: Mon, 29 Sep 2025 19:23:12 +0530 Subject: [PATCH 3/3] Adding tests relevant to changes in ReservedRolesStore --- .../core/security/authz/store/ReservedRolesStoreTests.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 638c4df46dc8d..0ad8a22cbe49f 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -3815,6 +3815,7 @@ public void testPredefinedViewerRole() { assertOnlyReadAllowed(role, ".entities.v1.latest.security_" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, ".asset-criticality.asset-criticality-" + randomIntBetween(0, 5)); + assertOnlyReadAllowed(role, ".entity_analytics.monitoring" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, ".slo-observability." + randomIntBetween(0, 5)); assertViewIndexMetadata(role, ".slo-observability." + randomIntBetween(0, 5)); @@ -3887,6 +3888,7 @@ public void testPredefinedEditorRole() { assertOnlyReadAllowed(role, "profiling-" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, ".profiling-" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, ".entities.v1.latest.security_" + randomIntBetween(0, 5)); + assertOnlyReadAllowed(role, ".entity_analytics.monitoring" + randomIntBetween(0, 5)); assertOnlyReadAllowed(role, randomAlphaOfLength(5)); assertReadWriteDocsAndMaintenanceButNotDeleteIndexAllowed(role, ".siem-signals-" + randomIntBetween(0, 5));