security: add delete permissions to kibana_user role

Closes elastic/elasticsearch#2393

Original commit: elastic/x-pack-elasticsearch@4a096befd0

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/KibanaUserRole.java

@@ -13,7 +13,7 @@ public class KibanaUserRole extends Role {
 
     private static final String[] CLUSTER_PRIVILEGES = new String[] { "monitor" };
     private static final RoleDescriptor.IndicesPrivileges[] INDICES_PRIVILEGES = new RoleDescriptor.IndicesPrivileges[] {
-            RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("manage", "read", "index").build() };
+            RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*").privileges("manage", "read", "index", "delete").build() };
 
     public static final String NAME = "kibana_user";
     public static final RoleDescriptor DESCRIPTOR = new RoleDescriptor(NAME, CLUSTER_PRIVILEGES, INDICES_PRIVILEGES, null);

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/KibanaUserRoleIntegTests.java

@@ -5,12 +5,15 @@
  */
 package org.elasticsearch.integration;
 
+import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
 import org.elasticsearch.action.admin.indices.get.GetIndexResponse;
 import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsResponse;
 import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsResponse.FieldMappingMetaData;
 import org.elasticsearch.action.admin.indices.validate.query.ValidateQueryResponse;
+import org.elasticsearch.action.delete.DeleteResponse;
 import org.elasticsearch.action.fieldstats.FieldStats;
 import org.elasticsearch.action.fieldstats.FieldStatsResponse;
+import org.elasticsearch.action.index.IndexResponse;
 import org.elasticsearch.action.search.MultiSearchResponse;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.index.query.QueryBuilders;
@@ -162,6 +165,33 @@ public class KibanaUserRoleIntegTests extends ShieldIntegTestCase {
         assertThat(response.getIndices(), arrayContaining(index));
     }
 
+    public void testCreateIndexDeleteInKibanaIndex() throws Exception {
+        final String index = randomBoolean()? ".kibana" : ".kibana-" + randomAsciiOfLengthBetween(1, 10);
+
+        if (randomBoolean()) {
+            CreateIndexResponse createIndexResponse = client().filterWithHeader(singletonMap("Authorization",
+                    UsernamePasswordToken.basicAuthHeaderValue("kibana_user", USERS_PASSWD)))
+                    .admin().indices().prepareCreate(index).get();
+            assertThat(createIndexResponse.isAcknowledged(), is(true));
+        }
+
+        IndexResponse response = client()
+                .filterWithHeader(singletonMap("Authorization", UsernamePasswordToken.basicAuthHeaderValue("kibana_user", USERS_PASSWD)))
+                .prepareIndex()
+                .setIndex(index)
+                .setType("dashboard")
+                .setSource("foo", "bar")
+                .setRefresh(true)
+                .get();
+        assertThat(response.isCreated(), is(true));
+
+        DeleteResponse deleteResponse = client()
+                .filterWithHeader(singletonMap("Authorization", UsernamePasswordToken.basicAuthHeaderValue("kibana_user", USERS_PASSWD)))
+                .prepareDelete(index, "dashboard", response.getId())
+                .get();
+        assertThat(deleteResponse.isFound(), is(true));
+    }
+
     // TODO: When we have an XPackIntegTestCase, this should test that we can send MonitoringBulkActions
 
 }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/permission/KibanaUserRoleTests.java

@@ -60,8 +60,8 @@ public class KibanaUserRoleTests extends ESTestCase {
     private void testIndexAccess(String index) {
         assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher("indices:foo").test(index), is(false));
         assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher("indices:bar").test(index), is(false));
-        assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(false));
 
+        assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true));
         assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(true));
         assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true));
         assertThat(KibanaUserRole.INSTANCE.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true));