From 03f672914ecbf5dab4930d8ef393a5176d105996 Mon Sep 17 00:00:00 2001
From: Devin Hurley <devin.hurley@elastic.co>
Date: Fri, 23 Apr 2021 15:17:51 -0400
Subject: [PATCH 1/3] adds .alerts and .siem-signals (legacy) alerts as data
 indices for kibana user access

---
 .../security/authz/store/ReservedRolesStore.java     | 12 ++++++++++++
 .../authz/store/ReservedRolesStoreTests.java         |  4 +++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
index ac41b108d385d..8e79ac684620a 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -37,6 +37,8 @@
 import java.util.stream.Collectors;
 
 public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>> {
+    public static final String LEGACY_ALERTS_INDEX = ".siem-signals*";
+    public static final String ALERTS_INDEX = ".alerts*";
 
     public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor("superuser",
             new String[] { "all" },
@@ -172,6 +174,16 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                                 RoleDescriptor.IndicesPrivileges.builder()
                                     .indices(".fleet*")
                                     .privileges("all").build(),
+                                // Legacy "Alerts as data" index. Kibana user will create this index.
+                                // Kibana user will read / write to these indices
+                                RoleDescriptor.IndicesPrivileges.builder()
+                                    .indices(ReservedRolesStore.LEGACY_ALERTS_INDEX)
+                                    .privileges("all").build(),
+                                // "Alerts as data" index. Kibana user will create this index.
+                                // Kibana user will read / write to these indices
+                                RoleDescriptor.IndicesPrivileges.builder()
+                                    .indices(ReservedRolesStore.ALERTS_INDEX)
+                                    .privileges("all").build(),
                         },
                         null,
                         new ConfigurableClusterPrivilege[] { new ManageApplicationPrivileges(Collections.singleton("kibana-*")) },
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
index 1ff62e6634cf5..361c47e49beaa 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -400,7 +400,9 @@ public void testKibanaSystemRole() {
             ".kibana-devnull",
             ".reporting-" + randomAlphaOfLength(randomIntBetween(0, 13)),
             ".apm-agent-configuration",
-            ".apm-custom-link"
+            ".apm-custom-link",
+            ReservedRolesStore.LEGACY_ALERTS_INDEX,
+            ReservedRolesStore.ALERTS_INDEX
         ).forEach((index) -> {
             logger.info("index name [{}]", index);
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(true));

From d91f39b0d7163b35c859738626fcb2fa0063e033 Mon Sep 17 00:00:00 2001
From: Devin Hurley <devin.hurley@elastic.co>
Date: Thu, 29 Apr 2021 18:53:18 -0400
Subject: [PATCH 2/3] adds CCS index patterns to kibana system user privileges

---
 .../core/security/authz/store/ReservedRolesStore.java  | 10 ++++++++++
 .../security/authz/store/ReservedRolesStoreTests.java  |  4 +++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
index 8e79ac684620a..e2f355954f4ba 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -38,7 +38,9 @@
 
 public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>> {
     public static final String LEGACY_ALERTS_INDEX = ".siem-signals*";
+    public static final String LEGACY_ALERTS_INDEX_CCS = "*:.siem-signals*";
     public static final String ALERTS_INDEX = ".alerts*";
+    public static final String ALERTS_INDEX_CCS = "*:.alerts*";
 
     public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor("superuser",
             new String[] { "all" },
@@ -184,6 +186,14 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                                 RoleDescriptor.IndicesPrivileges.builder()
                                     .indices(ReservedRolesStore.ALERTS_INDEX)
                                     .privileges("all").build(),
+                                // Legacy "Alerts as data" CCS
+                                RoleDescriptor.IndicesPrivileges.builder()
+                                    .indices(ReservedRolesStore.LEGACY_ALERTS_INDEX_CCS)
+                                    .privileges("all").build(),
+                                // Legacy "Alerts as data" CCS
+                                RoleDescriptor.IndicesPrivileges.builder()
+                                    .indices(ReservedRolesStore.ALERTS_INDEX_CCS)
+                                    .privileges("all").build(),
                         },
                         null,
                         new ConfigurableClusterPrivilege[] { new ManageApplicationPrivileges(Collections.singleton("kibana-*")) },
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
index 361c47e49beaa..2eebe5ec93615 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -402,7 +402,9 @@ public void testKibanaSystemRole() {
             ".apm-agent-configuration",
             ".apm-custom-link",
             ReservedRolesStore.LEGACY_ALERTS_INDEX,
-            ReservedRolesStore.ALERTS_INDEX
+            ReservedRolesStore.ALERTS_INDEX,
+            ReservedRolesStore.LEGACY_ALERTS_INDEX_CCS,
+            ReservedRolesStore.ALERTS_INDEX_CCS
         ).forEach((index) -> {
             logger.info("index name [{}]", index);
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(true));

From bfe416a4d173d402966fed10c14991a5b2256d01 Mon Sep 17 00:00:00 2001
From: Devin Hurley <devin.hurley@elastic.co>
Date: Tue, 11 May 2021 19:32:24 -0400
Subject: [PATCH 3/3] remove CCS patterns and update test

---
 .../security/authz/store/ReservedRolesStore.java     | 12 +-----------
 .../authz/store/ReservedRolesStoreTests.java         |  6 ++----
 2 files changed, 3 insertions(+), 15 deletions(-)

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
index e2f355954f4ba..5edfe51afd5ef 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -38,9 +38,7 @@
 
 public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>> {
     public static final String LEGACY_ALERTS_INDEX = ".siem-signals*";
-    public static final String LEGACY_ALERTS_INDEX_CCS = "*:.siem-signals*";
     public static final String ALERTS_INDEX = ".alerts*";
-    public static final String ALERTS_INDEX_CCS = "*:.alerts*";
 
     public static final RoleDescriptor SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor("superuser",
             new String[] { "all" },
@@ -185,15 +183,7 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                                 // Kibana user will read / write to these indices
                                 RoleDescriptor.IndicesPrivileges.builder()
                                     .indices(ReservedRolesStore.ALERTS_INDEX)
-                                    .privileges("all").build(),
-                                // Legacy "Alerts as data" CCS
-                                RoleDescriptor.IndicesPrivileges.builder()
-                                    .indices(ReservedRolesStore.LEGACY_ALERTS_INDEX_CCS)
-                                    .privileges("all").build(),
-                                // Legacy "Alerts as data" CCS
-                                RoleDescriptor.IndicesPrivileges.builder()
-                                    .indices(ReservedRolesStore.ALERTS_INDEX_CCS)
-                                    .privileges("all").build(),
+                                    .privileges("all").build()
                         },
                         null,
                         new ConfigurableClusterPrivilege[] { new ManageApplicationPrivileges(Collections.singleton("kibana-*")) },
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
index 2eebe5ec93615..e830bec9ab4b7 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -401,10 +401,8 @@ public void testKibanaSystemRole() {
             ".reporting-" + randomAlphaOfLength(randomIntBetween(0, 13)),
             ".apm-agent-configuration",
             ".apm-custom-link",
-            ReservedRolesStore.LEGACY_ALERTS_INDEX,
-            ReservedRolesStore.ALERTS_INDEX,
-            ReservedRolesStore.LEGACY_ALERTS_INDEX_CCS,
-            ReservedRolesStore.ALERTS_INDEX_CCS
+            ReservedRolesStore.LEGACY_ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)),
+            ReservedRolesStore.ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13))
         ).forEach((index) -> {
             logger.info("index name [{}]", index);
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(mockIndexAbstraction(index)), is(true));