From d4d30a84a53ca2140d0e8a02cd0a1dd9fe3b273d Mon Sep 17 00:00:00 2001 From: janvi-elastic Date: Fri, 12 Sep 2025 19:27:29 +0530 Subject: [PATCH 1/3] Add required ilm index for delete privilege --- .../KibanaOwnedReservedRoleDescriptors.java | 16 ++++++++++++---- .../authz/store/ReservedRolesStoreTests.java | 11 ++++++++--- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index 5bf438ce540f4..89a3c777c2431 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -540,7 +540,9 @@ static RoleDescriptor kibanaSystem(String name) { "logs-m365_defender.vulnerability-*", "logs-microsoft_defender_endpoint.vulnerability-*", "logs-microsoft_defender_cloud.assessment-*", - "logs-sentinel_one.application_risk-*" + "logs-sentinel_one.application_risk-*", + "logs-island_browser.user-*", + "logs-island_browser.device-*" ) .privileges( "read", @@ -549,11 +551,17 @@ static RoleDescriptor kibanaSystem(String name) { TransportDeleteIndexAction.TYPE.name() ) .build(), - // For ExtraHop, QualysGAV, and SentinelOne Application Dataset specific actions. Kibana reads, writes and manages this - // index + // For ExtraHop, QualysGAV, SentinelOne Application Dataset and Island Browser specific actions. + // Kibana reads, writes and manages this index // for configured ILM policies. RoleDescriptor.IndicesPrivileges.builder() - .indices("logs-extrahop.investigation-*", "logs-qualys_gav.asset-*", "logs-sentinel_one.application-*") + .indices( + "logs-extrahop.investigation-*", + "logs-qualys_gav.asset-*", + "logs-sentinel_one.application-*", + "logs-island_browser.user-*", + "logs-island_browser.device-*" + ) .privileges( "manage", "create_index", diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 06bb32df2ae6d..2e08c77c317db 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1774,7 +1774,9 @@ public void testKibanaSystemRole() { "logs-m365_defender.vulnerability-" + randomAlphaOfLength(randomIntBetween(0, 13)), "logs-microsoft_defender_endpoint.vulnerability-" + randomAlphaOfLength(randomIntBetween(0, 13)), "logs-microsoft_defender_cloud.assessment-" + randomAlphaOfLength(randomIntBetween(0, 13)), - "logs-sentinel_one.application_risk-" + randomAlphaOfLength(randomIntBetween(0, 13)) + "logs-sentinel_one.application_risk-" + randomAlphaOfLength(randomIntBetween(0, 13)), + "logs-island_browser.user-" + randomAlphaOfLength(randomIntBetween(0, 13)), + "logs-island_browser.device-" + randomAlphaOfLength(randomIntBetween(0, 13)) ).forEach(indexName -> { final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false)); @@ -1976,12 +1978,15 @@ public void testKibanaSystemRole() { assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true)); }); - // Tests for third-party agent indices (ExtraHop, QualysGAV, SentinelOne) that `kibana_system` has full management access to + // Tests for third-party agent indices (ExtraHop, QualysGAV, SentinelOne, Island Browser) that `kibana_system` + // has full management access to // This includes read, write, create, delete, and all ILM-related management actions. Arrays.asList( "logs-extrahop.investigation-" + randomAlphaOfLength(randomIntBetween(1, 10)), "logs-qualys_gav.asset-" + randomAlphaOfLength(randomIntBetween(1, 10)), - "logs-sentinel_one.application-" + randomAlphaOfLength(randomIntBetween(1, 10)) + "logs-sentinel_one.application-" + randomAlphaOfLength(randomIntBetween(1, 10)), + "logs-island_browser.user-" + randomAlphaOfLength(randomIntBetween(1, 10)), + "logs-island_browser.device-" + randomAlphaOfLength(randomIntBetween(1, 10)) ).forEach((index_qualys_extra_hop) -> { final IndexAbstraction indexAbstraction = mockIndexAbstraction(index_qualys_extra_hop); From fe509577bc7c15c96bfc8a6cc2b842c33d4e0d21 Mon Sep 17 00:00:00 2001 From: janvi-elastic Date: Fri, 12 Sep 2025 19:38:04 +0530 Subject: [PATCH 2/3] Add changelog --- docs/changelog/134636.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 docs/changelog/134636.yaml diff --git a/docs/changelog/134636.yaml b/docs/changelog/134636.yaml new file mode 100644 index 0000000000000..3e7816a04ed61 --- /dev/null +++ b/docs/changelog/134636.yaml @@ -0,0 +1,6 @@ +pr: 134636 +summary: "[Island Browser] Add `manage`, `create_index`, `read`, `index`, `write`, `delete`, permission for third party agent indices `kibana_system`" +area: Authorization +type: enhancement +issues: + - 134136 \ No newline at end of file From 0df5fa13019d78d729b9ebe5ad47e0f79d7d2ed5 Mon Sep 17 00:00:00 2001 From: janvi-elastic Date: Mon, 15 Sep 2025 15:40:39 +0530 Subject: [PATCH 3/3] Resolved review comments --- docs/changelog/134636.yaml | 2 +- .../authz/store/KibanaOwnedReservedRoleDescriptors.java | 4 +--- .../core/security/authz/store/ReservedRolesStoreTests.java | 4 +--- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/docs/changelog/134636.yaml b/docs/changelog/134636.yaml index 3e7816a04ed61..fac059b120b4f 100644 --- a/docs/changelog/134636.yaml +++ b/docs/changelog/134636.yaml @@ -3,4 +3,4 @@ summary: "[Island Browser] Add `manage`, `create_index`, `read`, `index`, `write area: Authorization type: enhancement issues: - - 134136 \ No newline at end of file + - 134136 diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index 89a3c777c2431..7c60ae20f593b 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -540,9 +540,7 @@ static RoleDescriptor kibanaSystem(String name) { "logs-m365_defender.vulnerability-*", "logs-microsoft_defender_endpoint.vulnerability-*", "logs-microsoft_defender_cloud.assessment-*", - "logs-sentinel_one.application_risk-*", - "logs-island_browser.user-*", - "logs-island_browser.device-*" + "logs-sentinel_one.application_risk-*" ) .privileges( "read", diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 2e08c77c317db..8eae87cebb32d 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1774,9 +1774,7 @@ public void testKibanaSystemRole() { "logs-m365_defender.vulnerability-" + randomAlphaOfLength(randomIntBetween(0, 13)), "logs-microsoft_defender_endpoint.vulnerability-" + randomAlphaOfLength(randomIntBetween(0, 13)), "logs-microsoft_defender_cloud.assessment-" + randomAlphaOfLength(randomIntBetween(0, 13)), - "logs-sentinel_one.application_risk-" + randomAlphaOfLength(randomIntBetween(0, 13)), - "logs-island_browser.user-" + randomAlphaOfLength(randomIntBetween(0, 13)), - "logs-island_browser.device-" + randomAlphaOfLength(randomIntBetween(0, 13)) + "logs-sentinel_one.application_risk-" + randomAlphaOfLength(randomIntBetween(0, 13)) ).forEach(indexName -> { final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false));