Give the logstash_admin role cluster:monitor/main privilege (elastic/x-pack-elasticsearch#4318)

This is required so the Logstash Centralized Configuration Management UI in Kibana may make the GET / request to Elasticsearch and retrieve the cluster UUID. It then uses this cluster UUID to make a call to a Kibana Monitoring API to retrieve a list of pipelines from Monitoring. In order for the Kibana Monitoring API request to succeed, the logged-in user needs to have the built-in monitoring_user role anyway, so we give this role the cluster:monitor/main privilege.

Original commit: elastic/x-pack-elasticsearch@bf6ad5c1df

docs/en/security/authorization.asciidoc

@@ -120,8 +120,9 @@ which store {ml} results.
 
 [[built-in-roles-monitoring-user]] `monitoring_user`::
 Grants the minimum privileges required for any user of {monitoring} other than those
-required to use {kib}. This role grants access to the monitoring indices.
-Monitoring users should also be assigned the `kibana_user` role.
+required to use {kib}. This role grants access to the monitoring indices and grants
+privileges necessary for reading basic cluster information. Monitoring users should
+also be assigned the `kibana_user` role.
 
 [[built-in-roles-remote-monitoring-agent]] `remote_monitoring_agent`::
 Grants the minimum privileges required for a remote monitoring agent to write data

plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

@@ -44,8 +44,10 @@ public class ReservedRolesStore {
                 .put("kibana_user", new RoleDescriptor("kibana_user", null, new RoleDescriptor.IndicesPrivileges[] {
                         RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("manage", "read", "index", "delete")
                                 .build() }, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
-                .put("monitoring_user", new RoleDescriptor("monitoring_user", null, new RoleDescriptor.IndicesPrivileges[] {
-                        RoleDescriptor.IndicesPrivileges.builder()
+                .put("monitoring_user", new RoleDescriptor("monitoring_user",
+                        new String[] { "cluster:monitor/main" },
+                        new RoleDescriptor.IndicesPrivileges[] {
+                            RoleDescriptor.IndicesPrivileges.builder()
                                 .indices(".monitoring-*").privileges("read", "read_cross_cluster").build()
                 },
                         null, MetadataUtils.DEFAULT_RESERVED_METADATA))

plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

@@ -25,6 +25,7 @@ import org.elasticsearch.action.index.IndexAction;
 import org.elasticsearch.action.ingest.DeletePipelineAction;
 import org.elasticsearch.action.ingest.GetPipelineAction;
 import org.elasticsearch.action.ingest.PutPipelineAction;
+import org.elasticsearch.action.main.MainAction;
 import org.elasticsearch.action.search.MultiSearchAction;
 import org.elasticsearch.action.search.SearchAction;
 import org.elasticsearch.action.update.UpdateAction;
@@ -263,6 +264,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
         Role monitoringUserRole = Role.builder(roleDescriptor, null).build();
+        assertThat(monitoringUserRole.cluster().check(MainAction.NAME), is(true));
         assertThat(monitoringUserRole.cluster().check(ClusterHealthAction.NAME), is(false));
         assertThat(monitoringUserRole.cluster().check(ClusterStateAction.NAME), is(false));
         assertThat(monitoringUserRole.cluster().check(ClusterStatsAction.NAME), is(false));