diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index da45dd96dea..f886bd1a206 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -178,7 +178,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-*").resources("*").privileges("reserved_ml").build() + .application("kibana-*").resources("*").privileges("reserved_ml_user").build() }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) .put("machine_learning_admin", new RoleDescriptor("machine_learning_admin", new String[] { "manage_ml" }, @@ -191,7 +191,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-*").resources("*").privileges("reserved_ml").build() + .application("kibana-*").resources("*").privileges("reserved_ml_admin").build() }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) // DEPRECATED: to be removed in 9.0.0 @@ -206,7 +206,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-*").resources("*").privileges("reserved_ml").build() + .application("kibana-*").resources("*").privileges("reserved_ml_user").build() }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) // DEPRECATED: to be removed in 9.0.0 .put("data_frame_transforms_user", new RoleDescriptor("data_frame_transforms_user", @@ -220,7 +220,7 @@ public class ReservedRolesStore implements BiConsumer, ActionListene }, new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() - .application("kibana-*").resources("*").privileges("reserved_ml").build() + .application("kibana-*").resources("*").privileges("reserved_ml_user").build() }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, null)) .put("transform_admin", new RoleDescriptor("transform_admin", new String[] { "manage_transform" }, diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 1eec8349b88..803bc234b5a 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1168,13 +1168,13 @@ public class ReservedRolesStoreTests extends ESTestCase { assertThat(role.application().grants( new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( - new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml_admin"), "*"), is(true)); final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); assertThat(role.application().grants( new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( - new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); + new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml_admin"), "*"), is(false)); } public void testMachineLearningUserRole() { @@ -1256,13 +1256,13 @@ public class ReservedRolesStoreTests extends ESTestCase { assertThat(role.application().grants( new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( - new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml_user"), "*"), is(true)); final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); assertThat(role.application().grants( new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); assertThat(role.application().grants( - new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); + new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml_user"), "*"), is(false)); } public void testTransformAdminRole() { @@ -1304,8 +1304,8 @@ public class ReservedRolesStoreTests extends ESTestCase { new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-foo", "foo"), "*"), is(false)); if (roleDescriptor.getName().equals("data_frame_transforms_admin")) { - assertThat(role.application() - .grants(new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); + assertThat(role.application().grants( + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml_user"), "*"), is(true)); } final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); @@ -1313,7 +1313,7 @@ public class ReservedRolesStoreTests extends ESTestCase { new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); if (roleDescriptor.getName().equals("data_frame_transforms_admin")) { assertThat(role.application().grants( - new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); + new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml_user"), "*"), is(false)); } } } @@ -1358,7 +1358,7 @@ public class ReservedRolesStoreTests extends ESTestCase { if (roleDescriptor.getName().equals("data_frame_transforms_user")) { assertThat(role.application().grants( - new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml"), "*"), is(true)); + new ApplicationPrivilege(kibanaApplicationWithRandomIndex, "app-reserved_ml", "reserved_ml_user"), "*"), is(true)); } final String otherApplication = "logstash-" + randomAlphaOfLengthBetween(8, 24); @@ -1366,7 +1366,7 @@ public class ReservedRolesStoreTests extends ESTestCase { new ApplicationPrivilege(otherApplication, "app-foo", "foo"), "*"), is(false)); if (roleDescriptor.getName().equals("data_frame_transforms_user")) { assertThat(role.application().grants( - new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml"), "*"), is(false)); + new ApplicationPrivilege(otherApplication, "app-reserved_ml", "reserved_ml_user"), "*"), is(false)); } } }