From 99c5ed6b4f60cc75e07259e3743b4a19a6141497 Mon Sep 17 00:00:00 2001
From: muskan-agarwal26 <165268590+muskan-agarwal26@users.noreply.github.com>
Date: Fri, 26 Sep 2025 11:22:47 +0530
Subject: [PATCH] [Cyera] - Fix Cannot execute ILM policy delete step (#134894)

This PR focuses on the short term solution which add the logs-cyera.classification-*, logs-cyera.issue-* and logs-cyera.datastore-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PR. As it ships transform pipeline too hence read, write permissions are also required.

---------

Co-authored-by: muskan-crest <muskan.agarwal@crestdata.ai>
Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
Co-authored-by: Elena Shostak <165678770+elena-shostak@users.noreply.github.com>
Co-authored-by: Shourie Ganguly <shourie.ganguly@elastic.co>
(cherry picked from commit e31eb4b3eda1e0ae984043b11ad3ab9e4bc728f7)
---
 docs/changelog/134894.yml                                  | 6 ++++++
 .../authz/store/KibanaOwnedReservedRoleDescriptors.java    | 7 +++++--
 .../core/security/authz/store/ReservedRolesStoreTests.java | 7 +++++--
 3 files changed, 16 insertions(+), 4 deletions(-)
 create mode 100644 docs/changelog/134894.yml

diff --git a/docs/changelog/134894.yml b/docs/changelog/134894.yml
new file mode 100644
index 0000000000000..94cde7e18026c
--- /dev/null
+++ b/docs/changelog/134894.yml
@@ -0,0 +1,6 @@
+pr: 134894
+summary: "[Cyera] Add `manage`, `create_index`, `read`, `index`, `write`, `delete`, permission for third party agent indices `kibana_system`"
+area: Authorization
+type: enhancement
+issues:
+  - 134183
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
index e7322ad3bbb36..0de88b6844043 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
@@ -536,7 +536,7 @@ static RoleDescriptor kibanaSystem(String name) {
                         TransportDeleteIndexAction.TYPE.name()
                     )
                     .build(),
-                // For ExtraHop, QualysGAV, SentinelOne Application Dataset and Island Browser specific actions.
+                // For ExtraHop, QualysGAV, SentinelOne Application Dataset, Island Browser and Cyera specific actions.
                 // Kibana reads, writes and manages this index
                 // for configured ILM policies.
                 RoleDescriptor.IndicesPrivileges.builder()
@@ -545,7 +545,10 @@ static RoleDescriptor kibanaSystem(String name) {
                         "logs-qualys_gav.asset-*",
                         "logs-sentinel_one.application-*",
                         "logs-island_browser.user-*",
-                        "logs-island_browser.device-*"
+                        "logs-island_browser.device-*",
+                        "logs-cyera.classification-*",
+                        "logs-cyera.issue-*",
+                        "logs-cyera.datastore-*"
                     )
                     .privileges(
                         "manage",
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
index 0cdca7f0324d7..19e3621578bd5 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -1915,7 +1915,7 @@ public void testKibanaSystemRole() {
             assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true));
         });
 
-        // Tests for third-party agent indices (ExtraHop, QualysGAV, SentinelOne, Island Browser) that `kibana_system`
+        // Tests for third-party agent indices (ExtraHop, QualysGAV, SentinelOne, Island Browser, Cyera) that `kibana_system`
         // has full management access to
         // This includes read, write, create, delete, and all ILM-related management actions.
         Arrays.asList(
@@ -1923,7 +1923,10 @@ public void testKibanaSystemRole() {
             "logs-qualys_gav.asset-" + randomAlphaOfLength(randomIntBetween(1, 10)),
             "logs-sentinel_one.application-" + randomAlphaOfLength(randomIntBetween(1, 10)),
             "logs-island_browser.user-" + randomAlphaOfLength(randomIntBetween(1, 10)),
-            "logs-island_browser.device-" + randomAlphaOfLength(randomIntBetween(1, 10))
+            "logs-island_browser.device-" + randomAlphaOfLength(randomIntBetween(1, 10)),
+            "logs-cyera.classification-" + randomAlphaOfLength(randomIntBetween(1, 10)),
+            "logs-cyera.issue-" + randomAlphaOfLength(randomIntBetween(1, 10)),
+            "logs-cyera.datastore-" + randomAlphaOfLength(randomIntBetween(1, 10))
         ).forEach((index_qualys_extra_hop) -> {
             final IndexAbstraction indexAbstraction = mockIndexAbstraction(index_qualys_extra_hop);