Add auto_configure privilege

client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java

@@ -352,8 +352,10 @@ public final class Role {
         public static final String MANAGE_ILM = "manage_ilm";
         public static final String CREATE_DOC = "create_doc";
         public static final String MAINTENANCE = "maintenance";
+        public static final String AUTO_CONFIGURE = "auto_configure";
         public static final String[] ALL_ARRAY = new String[] { NONE, ALL, READ, READ_CROSS, CREATE, INDEX, DELETE, WRITE, MONITOR, MANAGE,
-                DELETE_INDEX, CREATE_INDEX, VIEW_INDEX_METADATA, MANAGE_FOLLOW_INDEX, MANAGE_ILM, CREATE_DOC, MAINTENANCE };
+                DELETE_INDEX, CREATE_INDEX, VIEW_INDEX_METADATA, MANAGE_FOLLOW_INDEX, MANAGE_ILM, CREATE_DOC, MAINTENANCE,
+            AUTO_CONFIGURE};
     }
 
 }

x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc

@@ -100,6 +100,7 @@ A successful call returns an object with "cluster" and "index" fields.
   ],
   "index" : [
     "all",
+    "auto_configure",
     "create",
     "create_doc",
     "create_index",

x-pack/docs/en/security/authorization/privileges.asciidoc

@@ -150,6 +150,17 @@ cluster to enable <<cross-cluster-configuring,Cross Cluster Search>>.
 `all`::
 Any action on an index
 
+`auto_configure`::
+Permits auto-creation of indices and data streams. An auto-create action is the
+result of an <<docs-index_,index>> or <<docs-bulk,bulk>> request that targets a
+non-existent index or data stream rather than an explicit
+<<indices-create-index,create index>> or
+<<indices-create-data-stream,create data stream>> request. Also permits
+auto-update of mappings on indices and data streams if they do not contradict
+existing mappings. An auto-update mapping action is the result of an index or
+bulk request on an index or data stream that contains new fields that may
+be mapped rather than an explicit <<indices-put-mapping,put mapping>> request.
+
 `create`::
 Privilege to index documents. Also grants access to the update mapping
 action.

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java

@@ -79,6 +79,7 @@ public final class IndexPrivilege extends Privilege {
     private static final Automaton MANAGE_ILM_AUTOMATON = patterns("indices:admin/ilm/*");
     private static final Automaton MAINTENANCE_AUTOMATON = patterns("indices:admin/refresh*", "indices:admin/flush*",
         "indices:admin/synced_flush", "indices:admin/forcemerge*");
+    private static final Automaton AUTO_CONFIGURE_AUTOMATON = patterns(AutoPutMappingAction.NAME, AutoCreateAction.NAME);
 
     public static final IndexPrivilege NONE =                new IndexPrivilege("none",                Automatons.EMPTY);
     public static final IndexPrivilege ALL =                 new IndexPrivilege("all",                 ALL_AUTOMATON);
@@ -96,8 +97,9 @@ public final class IndexPrivilege extends Privilege {
     public static final IndexPrivilege VIEW_METADATA =       new IndexPrivilege("view_index_metadata", VIEW_METADATA_AUTOMATON);
     public static final IndexPrivilege MANAGE_FOLLOW_INDEX = new IndexPrivilege("manage_follow_index", MANAGE_FOLLOW_INDEX_AUTOMATON);
     public static final IndexPrivilege MANAGE_LEADER_INDEX = new IndexPrivilege("manage_leader_index", MANAGE_LEADER_INDEX_AUTOMATON);
-    public static final IndexPrivilege MANAGE_ILM = new IndexPrivilege("manage_ilm", MANAGE_ILM_AUTOMATON);
-    public static final IndexPrivilege MAINTENANCE = new IndexPrivilege("maintenance", MAINTENANCE_AUTOMATON);
+    public static final IndexPrivilege MANAGE_ILM =          new IndexPrivilege("manage_ilm",          MANAGE_ILM_AUTOMATON);
+    public static final IndexPrivilege MAINTENANCE =         new IndexPrivilege("maintenance",         MAINTENANCE_AUTOMATON);
+    public static final IndexPrivilege AUTO_CONFIGURE =      new IndexPrivilege("auto_configure",      AUTO_CONFIGURE_AUTOMATON);
 
     private static final Map<String, IndexPrivilege> VALUES = MapBuilder.<String, IndexPrivilege>newMapBuilder()
             .put("none", NONE)
@@ -118,6 +120,7 @@ public final class IndexPrivilege extends Privilege {
             .put("manage_leader_index", MANAGE_LEADER_INDEX)
             .put("manage_ilm", MANAGE_ILM)
             .put("maintenance", MAINTENANCE)
+            .put("auto_configure", AUTO_CONFIGURE)
             .immutableMap();
 
     public static final Predicate<String> ACTION_MATCHER = ALL.predicate();

x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml

@@ -16,4 +16,4 @@ setup:
   # I would much prefer we could just check that specific entries are in the array, but we don't have
   # an assertion for that
   - length: { "cluster" : 36 }
-  - length: { "index" : 18 }
+  - length: { "index" : 19 }

x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/50_data_streams.yml

@@ -90,6 +90,7 @@ teardown:
   - skip:
       version: " - 7.99.99"
       reason: "change to 7.8.99 after backport"
+      features: ["headers"]
 
   - do: # superuser
       indices.create_data_stream:
@@ -151,6 +152,7 @@ teardown:
   - skip:
       version: " - 7.99.99"
       reason: "change to 7.8.99 after backport"
+      features: ["headers"]
 
   - do: # superuser
       indices.create_data_stream:
@@ -303,3 +305,64 @@ teardown:
       indices.delete_data_stream:
         name: s-outside-of-authed-namespace
   - is_true: acknowledged
+
+---
+"auto_configure privilege permits auto-create of data streams":
+  - skip:
+      version: " - 7.99.99"
+      reason: "change to 7.8.99 after backport"
+      features: ["headers", "allowed_warnings"]
+
+  - do:
+      allowed_warnings:
+        - "index template [my-template1] has index patterns [simple*] matching patterns from existing older templates [global] with patterns (global => [*]); this template [my-template1] will take precedence during new index creation"
+      indices.put_index_template:
+        name: my-template1
+        body:
+          index_patterns: [simple*]
+          template:
+            mappings:
+              properties:
+                '@timestamp':
+                  type: date
+          data_stream:
+            timestamp_field: '@timestamp'
+
+  - do:
+      security.put_role:
+        name: "data_stream_role"
+        body:  >
+          {
+            "indices": [
+              { "names": ["simple-allows-auto-configure"], "privileges": ["create_doc", "auto_configure"] },
+              { "names": ["simple-data-stream1"], "privileges": ["create_doc"] }
+            ]
+          }
+
+  - do:
+      security.clear_cached_roles:
+        name: "data_stream_role"
+
+  # should succeed because test_user is authorized for auto_configure on simple-allows-auto-configure
+  - do:
+      headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
+      index:
+        index:  simple-allows-auto-configure
+        id:       1
+        op_type:  create
+        body:   { foo: bar, "@timestamp": "2020-12-12" }
+
+  # should fail because test_user is not authorized for auto_configure on simple-data-stream1
+  - do:
+      catch: forbidden
+      headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
+      index:
+        index:  simple-data-stream1
+        id:       1
+        op_type:  create
+        body:   { foo: bar, "@timestamp": "2020-12-12" }
+
+  - do: # superuser
+      indices.delete_data_stream:
+        name: simple-allows-auto-configure
+  - is_true: acknowledged

x-pack/plugin/src/test/resources/rest-api-spec/test/security/authz/55_auto_configure.yml

@@ -0,0 +1,82 @@
+---
+setup:
+  - skip:
+      features: ["headers", "allowed_warnings"]
+      version: " - 7.99.99"
+      reason: "change to 7.8.99 after backport"
+
+  - do:
+      cluster.health:
+        wait_for_status: yellow
+
+  - do:
+      security.put_role:
+        name: "ingest_role"
+        body:  >
+          {
+            "indices": [
+              { "names": ["index-auto-configure"], "privileges": ["create_doc", "auto_configure"] },
+              { "names": ["index-limited"], "privileges": ["create_doc"] }
+            ]
+          }
+
+  - do:
+      security.put_user:
+        username: "test_user"
+        body:  >
+          {
+            "password" : "x-pack-test-password",
+            "roles" : [ "ingest_role" ],
+            "full_name" : "user with privileges on data streams but not backing indices"
+          }
+
+  - do:
+      allowed_warnings:
+        - "index template [my-template1] has index patterns [index*] matching patterns from existing older templates [global] with patterns (global => [*]); this template [my-template1] will take precedence during new index creation"
+      indices.put_index_template:
+        name: my-template1
+        body:
+          index_patterns: [index*]
+          template:
+            mappings:
+              properties:
+                '@timestamp':
+                  type: date
+
+---
+teardown:
+  - do:
+      security.delete_user:
+        username: "test_user"
+        ignore: 404
+
+  - do:
+      security.delete_role:
+        name: "ingest_role"
+        ignore: 404
+
+---
+"auto_configure privilege permits auto-create of indices":
+  - skip:
+      version: " - 7.99.99"
+      reason: "change to 7.8.99 after backport"
+      features: ["headers", "allowed_warnings"]
+
+  # should succeed because test_user is authorized for auto_configure on index-auto-configure
+  - do:
+      headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
+      index:
+        index:  index-auto-configure
+        id:       1
+        op_type:  create
+        body:   { foo: bar, "@timestamp": "2020-12-12" }
+
+  # should fail because test_user is not authorized for auto_configure on index-limited
+  - do:
+      catch: forbidden
+      headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
+      index:
+        index:  index-limited
+        id:       1
+        op_type:  create
+        body:   { "@timestamp": "2020-12-12" }