diff --git a/docs/en/security/authorization.asciidoc b/docs/en/security/authorization.asciidoc index aea034f81ca..4a3ffe399de 100644 --- a/docs/en/security/authorization.asciidoc +++ b/docs/en/security/authorization.asciidoc @@ -120,8 +120,9 @@ which store {ml} results. [[built-in-roles-monitoring-user]] `monitoring_user`:: Grants the minimum privileges required for any user of {monitoring} other than those -required to use {kib}. This role grants access to the monitoring indices. -Monitoring users should also be assigned the `kibana_user` role. +required to use {kib}. This role grants access to the monitoring indices and grants +privileges necessary for reading basic cluster information. Monitoring users should +also be assigned the `kibana_user` role. [[built-in-roles-remote-monitoring-agent]] `remote_monitoring_agent`:: Grants the minimum privileges required for a remote monitoring agent to write data diff --git a/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index c45ebb10d73..059c4dfbb65 100644 --- a/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -44,8 +44,10 @@ public class ReservedRolesStore { .put("kibana_user", new RoleDescriptor("kibana_user", null, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("manage", "read", "index", "delete") .build() }, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) - .put("monitoring_user", new RoleDescriptor("monitoring_user", null, new RoleDescriptor.IndicesPrivileges[] { - RoleDescriptor.IndicesPrivileges.builder() + .put("monitoring_user", new RoleDescriptor("monitoring_user", + new String[] { "cluster:monitor/main" }, + new RoleDescriptor.IndicesPrivileges[] { + RoleDescriptor.IndicesPrivileges.builder() .indices(".monitoring-*").privileges("read", "read_cross_cluster").build() }, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) diff --git a/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 3fc96287826..b25f3f374b3 100644 --- a/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -25,6 +25,7 @@ import org.elasticsearch.action.index.IndexAction; import org.elasticsearch.action.ingest.DeletePipelineAction; import org.elasticsearch.action.ingest.GetPipelineAction; import org.elasticsearch.action.ingest.PutPipelineAction; +import org.elasticsearch.action.main.MainAction; import org.elasticsearch.action.search.MultiSearchAction; import org.elasticsearch.action.search.SearchAction; import org.elasticsearch.action.update.UpdateAction; @@ -263,6 +264,7 @@ public class ReservedRolesStoreTests extends ESTestCase { assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); Role monitoringUserRole = Role.builder(roleDescriptor, null).build(); + assertThat(monitoringUserRole.cluster().check(MainAction.NAME), is(true)); assertThat(monitoringUserRole.cluster().check(ClusterHealthAction.NAME), is(false)); assertThat(monitoringUserRole.cluster().check(ClusterStateAction.NAME), is(false)); assertThat(monitoringUserRole.cluster().check(ClusterStatsAction.NAME), is(false));