diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java index 0edd862eb6371..d08ce0b68cfff 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java @@ -638,8 +638,8 @@ public void testGetRoles() throws Exception { List roles = response.getRoles(); assertNotNull(response); - // 24 system roles plus the three we created - assertThat(roles.size(), equalTo(27)); + // 25 system roles plus the three we created + assertThat(roles.size(), equalTo(28)); } { diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 9cb25f6a221d0..31f9883e2ffa2 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -132,6 +132,13 @@ private static Map initializeReservedRoles() { new String[] { "monitor", MonitoringBulkAction.NAME}, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) .put(UsernamesField.APM_ROLE, new RoleDescriptor(UsernamesField.APM_ROLE, new String[] { "monitor", MonitoringBulkAction.NAME}, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) + .put("apm_user", new RoleDescriptor("apm_user", + null, new RoleDescriptor.IndicesPrivileges[] { + RoleDescriptor.IndicesPrivileges.builder().indices("apm-*") + .privileges("read", "view_index_metadata").build(), + RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*") + .privileges("view_index_metadata", "read").build(), + }, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) .put("machine_learning_user", new RoleDescriptor("machine_learning_user", new String[] { "monitor_ml" }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*", ".ml-notifications*") diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index bda5304a26141..195ec3973f8f3 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -849,6 +849,23 @@ public void testAPMSystemRole() { assertNoAccessAllowed(APMSystemRole, RestrictedIndicesNames.NAMES_SET); } + public void testAPMUserRole() { + final TransportRequest request = mock(TransportRequest.class); + + final RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("apm_user"); + assertNotNull(roleDescriptor); + assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); + + Role role = Role.builder(roleDescriptor, null).build(); + + assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 12)), is(false)); + + assertNoAccessAllowed(role, "foo"); + + assertOnlyReadAllowed(role, "apm-" + randomIntBetween(0, 5)); + assertOnlyReadAllowed(role, AnomalyDetectorsIndexFields.RESULTS_INDEX_PREFIX + AnomalyDetectorsIndexFields.RESULTS_INDEX_DEFAULT); + } + public void testMachineLearningAdminRole() { final TransportRequest request = mock(TransportRequest.class);