From 8e1a9603e3b023299bdfb05a1653ce80a15c16bf Mon Sep 17 00:00:00 2001
From: jaymode <jay.modi@elasticsearch.com>
Date: Mon, 23 May 2016 18:36:22 -0400
Subject: [PATCH] security: add .reporting-* and s/.kibana/.kibana* access for
 the KibanaRole

This commit adds access to the reporting indices for the role that the Kibana server role has
access to. This needed so that the server can use the async queue. Additionally the kibana
server should have access to .kibana*

Closes elastic/elasticsearch#2323

Original commit: elastic/x-pack-elasticsearch@e930e9d872fdcb09eee70e66c400329ec99668f3
---
 .../shield/authz/permission/KibanaRole.java   |  2 +-
 .../authz/permission/KibanaRoleTests.java     | 32 +++++++++++++------
 2 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/KibanaRole.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/KibanaRole.java
index 83dede30eb6..c2511efbc3a 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/KibanaRole.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/KibanaRole.java
@@ -17,7 +17,7 @@ public class KibanaRole extends Role {
 
     private static final String[] CLUSTER_PRIVILEGES = new String[] { "monitor", MonitoringBulkAction.NAME};
     private static final RoleDescriptor.IndicesPrivileges[] INDICES_PRIVILEGES = new RoleDescriptor.IndicesPrivileges[] {
-            RoleDescriptor.IndicesPrivileges.builder().indices(".kibana").privileges("all").build() };
+            RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*", ".reporting-*").privileges("all").build() };
 
     public static final String NAME = "kibana";
     public static final RoleDescriptor DESCRIPTOR = new RoleDescriptor(NAME, CLUSTER_PRIVILEGES, INDICES_PRIVILEGES, null);
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/permission/KibanaRoleTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/permission/KibanaRoleTests.java
index b4452578074..6aefb0b1f5e 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/permission/KibanaRoleTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/permission/KibanaRoleTests.java
@@ -22,6 +22,8 @@ import org.elasticsearch.shield.user.User;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.transport.TransportRequest;
 
+import java.util.Arrays;
+
 import static org.hamcrest.Matchers.is;
 
 /**
@@ -45,17 +47,27 @@ public class KibanaRoleTests extends ESTestCase {
         assertThat(KibanaRole.INSTANCE.runAs().isEmpty(), is(true));
     }
 
-    public void testIndices() {
-        final String kibanaIndex = ".kibana";
-        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher("indices:foo").test(kibanaIndex), is(true));
-        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher("indices:bar").test(kibanaIndex), is(true));
-        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(kibanaIndex), is(true));
-        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(kibanaIndex), is(true));
-        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(IndexAction.NAME).test(kibanaIndex), is(true));
-        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(DeleteAction.NAME).test(kibanaIndex), is(true));
-        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(kibanaIndex), is(true));
-
+    public void testUnauthorizedIndices() {
         assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(IndexAction.NAME).test("foo"), is(false));
+        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(IndexAction.NAME).test(".reporting"), is(false));
         assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher("indices:foo").test(randomAsciiOfLengthBetween(8, 24)), is(false));
     }
+
+    public void testKibanaIndices() {
+        Arrays.asList(".kibana", ".kibana-devnull").forEach(this::testAllIndexAccess);
+    }
+
+    public void testReportingIndices() {
+        testAllIndexAccess(".reporting-" + randomAsciiOfLength(randomIntBetween(0, 13)));
+    }
+
+    private void testAllIndexAccess(String index) {
+        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher("indices:foo").test(index), is(true));
+        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher("indices:bar").test(index), is(true));
+        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(true));
+        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true));
+        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true));
+        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true));
+        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true));
+    }
 }