[Fleet] Allow kibana_system to put datastream lifecycle

[nchaulet]

Description

In Fleet we need to be able to update datastream lifecycle when we install/update a package, that PR fix that by
allowingkibana_system to put datastream lifecycle.

Related kibana PR elastic/kibana#162078

[elasticsearchmachine]

@nchaulet please enable the option "Allow edits and access to secrets by maintainers" on your PR. For more information, see the documentation.

[azasypkin]

Related kibana PR elastic/kibana#162078

Unfortunately the only description this PR has is Work in progress. Just for the record and context, could you please explain in a bit more detail why In Fleet we need to be able to update datastream lifecycle when we install/update a package (considering that it wasn't necessary before)?

Otherwise, LGTM from Kibana point of view.

[azasypkin]

nit: Cannot you use PutDataStreamLifecycleAction.NAME to not hardcode the string?

[nchaulet]

I tried to import PutDataStreamLifecycleAction here but without sucess java was not compiling

[azasypkin]

Got it, maybe ES team can guide on that then. In any case, it's not a big deal, just an optional nit.

[jakelandis]

The xpack core module/plugin doesn't have direct visibility to the dlm module/plugin which is why you can't reference the name directly. I would have a minor preference to put the action name in a variable in IndexPrivilege.java so that it is more centralized.

The core the change here (adding the priv) seems fine to me but @n1v0lg - can you take a look too, i don't remember the details of the this feature you assisted with.

[n1v0lg]

If .logs-endpoint.action.responses-* and the other indices with the leading dot are not system indices/system data streams, this change is fine as is. Otherwise, we'd have to update the internal user privileges here as well: https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUsers.java#L133

@nchaulet could you confirm those are not system indices/system data streams? I don't think they are since the privilege definition does not include allowRestrictedIndices but just double-checking.

As far the privilege itself goes, "indices:admin/data_stream/lifecycle/put" is fine -- there is also a named privilege manage_data_stream_lifecycle which grants access to the PUT, GET, and DELETE data stream lifecycle APIs. If only updating is required though, going with the specific action as you do works and is good in terms of least privilege.

[nchaulet]

the .logs-* are not system indices just some hidden datastreams used by elastic agent and defined in integrations.

It seems we only need the PUT currently

[nchaulet]

Unfortunately the only description this PR has is Work in progress. Just for the record and context, could you please explain in a bit more detail why In Fleet we need to be able to update datastream lifecycle when we install/update a package (considering that it wasn't necessary before)?

@azasypkin just updated the PR with a litle more than "Work in progress", to resume here Fleet was not installing DLM before 8.10 so it's why it was not necessary before.

[n1v0lg]

LGTM

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[n1v0lg]

@elasticmachine update branch

[elasticsearchmachine]

Hi @nchaulet, I've created a changelog YAML for you.

[n1v0lg]

@nchaulet just a heads up: I added the missing labels (including >enhancement) -- this also automatically generated a changelog.