diff --git a/docs/changelog/134894.yml b/docs/changelog/134894.yml new file mode 100644 index 0000000000000..94cde7e18026c --- /dev/null +++ b/docs/changelog/134894.yml @@ -0,0 +1,6 @@ +pr: 134894 +summary: "[Cyera] Add `manage`, `create_index`, `read`, `index`, `write`, `delete`, permission for third party agent indices `kibana_system`" +area: Authorization +type: enhancement +issues: + - 134183 diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index 5a05d37465bba..84a6e7d955613 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -500,7 +500,7 @@ static RoleDescriptor kibanaSystem(String name) { TransportDeleteIndexAction.TYPE.name() ) .build(), - // For ExtraHop, QualysGAV, SentinelOne and Island Browser specific actions. + // For ExtraHop, QualysGAV, SentinelOne, Island Browser and Cyera specific actions. // Kibana reads, writes and manages this index // for configured ILM policies. RoleDescriptor.IndicesPrivileges.builder() @@ -510,7 +510,10 @@ static RoleDescriptor kibanaSystem(String name) { "logs-sentinel_one.application-*", "logs-sentinel_one.threat_event-*", "logs-island_browser.user-*", - "logs-island_browser.device-*" + "logs-island_browser.device-*", + "logs-cyera.classification-*", + "logs-cyera.issue-*", + "logs-cyera.datastore-*" ) .privileges( "manage", diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 1e8e592b00436..90fbd3812a848 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1894,7 +1894,7 @@ public void testKibanaSystemRole() { assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true)); }); - // Tests for third-party agent indices (ExtraHop, QualysGAV, SentinelOne, Island Browser) that `kibana_system` + // Tests for third-party agent indices (ExtraHop, QualysGAV, SentinelOne, Island Browser, Cyera) that `kibana_system` // has full management access to // This includes read, write, create, delete, and all ILM-related management actions. Arrays.asList( @@ -1903,7 +1903,10 @@ public void testKibanaSystemRole() { "logs-sentinel_one.application-" + randomAlphaOfLength(randomIntBetween(1, 10)), "logs-sentinel_one.threat_event-" + randomAlphaOfLength(randomIntBetween(1, 10)), "logs-island_browser.user-" + randomAlphaOfLength(randomIntBetween(1, 10)), - "logs-island_browser.device-" + randomAlphaOfLength(randomIntBetween(1, 10)) + "logs-island_browser.device-" + randomAlphaOfLength(randomIntBetween(1, 10)), + "logs-cyera.classification-" + randomAlphaOfLength(randomIntBetween(1, 10)), + "logs-cyera.issue-" + randomAlphaOfLength(randomIntBetween(1, 10)), + "logs-cyera.datastore-" + randomAlphaOfLength(randomIntBetween(1, 10)) ).forEach((index_qualys_extra_hop) -> { final IndexAbstraction indexAbstraction = mockIndexAbstraction(index_qualys_extra_hop);