From 2257cc77f6d1e7bc7784aaaf14794acf637f1f0d Mon Sep 17 00:00:00 2001
From: jaymode <jay.modi@elasticsearch.com>
Date: Wed, 7 Sep 2016 19:19:02 -0400
Subject: [PATCH] security: add reserved metadata to the ingest admin role

Closes elastic/elasticsearch#3376

Original commit: elastic/x-pack-elasticsearch@1909da2fb05fff9a881660d5128336e8d10363d4
---
 .../xpack/security/authz/permission/IngestAdminRole.java     | 4 +++-
 .../security/authz/permission/IngestAdminRoleTests.java      | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/permission/IngestAdminRole.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/permission/IngestAdminRole.java
index 12581d36e98..72ff9f06ba7 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/permission/IngestAdminRole.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/permission/IngestAdminRole.java
@@ -8,6 +8,7 @@ package org.elasticsearch.xpack.security.authz.permission;
 import org.elasticsearch.xpack.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.security.authz.privilege.ClusterPrivilege;
 import org.elasticsearch.xpack.security.authz.privilege.Privilege.Name;
+import org.elasticsearch.xpack.security.support.MetadataUtils;
 
 /**
  * Role for users that should be allowed to use the Add Data/Ingest features in the UI
@@ -18,7 +19,8 @@ public class IngestAdminRole extends Role {
     private static final RoleDescriptor.IndicesPrivileges[] INDICES_PRIVILEGES = new RoleDescriptor.IndicesPrivileges[0];
 
     public static final String NAME = "ingest_admin";
-    public static final RoleDescriptor DESCRIPTOR = new RoleDescriptor(NAME, CLUSTER_PRIVILEGES, INDICES_PRIVILEGES, null);
+    public static final RoleDescriptor DESCRIPTOR =
+            new RoleDescriptor(NAME, CLUSTER_PRIVILEGES, INDICES_PRIVILEGES, null, MetadataUtils.DEFAULT_RESERVED_METADATA);
     public static final IngestAdminRole INSTANCE = new IngestAdminRole();
 
     private IngestAdminRole() {
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authz/permission/IngestAdminRoleTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authz/permission/IngestAdminRoleTests.java
index 266c44f36ba..efb4d61ae84 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authz/permission/IngestAdminRoleTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authz/permission/IngestAdminRoleTests.java
@@ -20,6 +20,7 @@ import org.elasticsearch.transport.TransportRequest;
 import org.elasticsearch.xpack.monitoring.action.MonitoringBulkAction;
 import org.elasticsearch.xpack.security.authc.Authentication;
 
+import static org.hamcrest.Matchers.hasEntry;
 import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.mock;
 
@@ -48,4 +49,8 @@ public class IngestAdminRoleTests extends ESTestCase {
         assertThat(IngestAdminRole.INSTANCE.indices().allowedIndicesMatcher(GetAction.NAME).test(randomAsciiOfLengthBetween(8, 24)),
                 is(false));
     }
+
+    public void testHasReservedMetadata() {
+        assertThat(IngestAdminRole.DESCRIPTOR.getMetadata(), hasEntry("_reserved", true));
+    }
 }