Support "remote_cluster" in ES role definition

[jakelandis]

ES is adding a new object to the role definition via elastic/elasticsearch#107493. This new part of the role is allows users to express the remote cluster level privileges allowed for different clusters when using the API key security model. This is the cluster level set of permissions to match the existing "remote_indices" index permissions.

The initial release will only allow for monitor_enrich since it is the only supported cross cluster privilege in use. It will be required when the query is sent over CCS, the query is written in ES|QL, the ES|QL query uses the ENRICH keyword, and the CCS security model is API key based (RCS 2.0). Note - ES|QL over CCS is still technical preview for 8.14.

All validation is done in ES and the expectation is for Kibana adds the new "remote_cluster" as part of the create/update/view role definition. The data model is as it appears where there is at most one root "remote_cluster" array of objects per role. There can be multiple (anonymous) objects in the array, and each object has 2 named arrays of strings. The inner "clusters" array is identical to the "clusters" array in "remote_indices" and the "privileges" array are simple strings with validation of correctness is handled by ES.

"remote_cluster": [
        {
            "privileges": [
                "monitor_enrich"
            ],
            "clusters": [
                "my_remote*"
            ]
        }
    ]

and

"remote_cluster": [
        {
            "privileges": [
                "monitor_enrich"
            ],
            "clusters": [
                "one", "two"
            ]
        },
        {
            "privileges": [
                "monitor_enrich"
            ],
            "clusters": [
                "two", "three"
            ]
        }
    ]

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[legrego]

@jakelandis thanks for opening this. Is the Get builtin privileges API updated to reflect this new set of privileges? If not, can it be updated to support a new remote_cluster property with the permitted entries?

[jakelandis]

Is the Get builtin privileges API updated to reflect this new set of privileges?

That API lists all the index or cluster privileges. "remote_cluster" is not a new privilege. Rather it is a new way to express existing cluster privileges for named remote clusters. Since there are not any new privileges, no need to for that API to get an update.

[legrego]

This API primarily exists in order to power the dropdown controls on our role management UI. Having a dedicated property which describes the allowed privileges to assign to the remote_cluster portion of a role would be very helpful, and aligned with the way we power the dropdowns for cluster and index privileges.

The alternative is for us to hardcode the list of allowed remote cluster privileges in Kibana. History has proved that this will deviate over time from what ES expects, leading to regressions.

[jakelandis]

Ah... i see what you are asking for now. You want

"remote_cluster" : [
    "monitor_enrich",
    "<future_cluster_priv>"
]

So you can provide better support from the drop down box.

++ I can add that information to the API (but in a follow up to elastic/elasticsearch#107493). Will report back here when that is done (hopefully this week).

[legrego]

Yes, exactly - sorry for not being clearer in my original request. Thank you for taking a look!

[legrego]

Ah... i see what you are asking for now. You want

"remote_cluster" : [
    "monitor_enrich",
    "<future_cluster_priv>"
]

So you can provide better support from the drop down box.

++ I can add that information to the API (but in a follow up to elastic/elasticsearch#107493). Will report back here when that is done (hopefully this week).

@jakelandis is there an issue we can follow to track this request?

[jakelandis]

@jakelandis is there an issue we can follow to track this request?

I logged an internal task: ES-8539