Whitelist global checkpoint sync actions

This commit whitelists the global checkpoint sync actions as otherwise
these actions do not have privileges to run as the system user and will
be denied as unauthorized.

Relates elastic/x-pack-elasticsearch#2604

Original commit: elastic/x-pack-elasticsearch@598ae1ff50

plugin/src/main/java/org/elasticsearch/xpack/security/authz/privilege/SystemPrivilege.java

@@ -22,7 +22,8 @@ public final class SystemPrivilege extends Privilege {
             "cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener
             "indices:admin/mapping/put", // needed for recovery and shrink api
             "indices:admin/template/put", // needed for the TemplateUpgradeService
-            "indices:admin/template/delete" // needed for the TemplateUpgradeService
+            "indices:admin/template/delete", // needed for the TemplateUpgradeService
+            "indices:admin/seq_no/global_checkpoint_sync*" // needed for global checkpoint syncs
     ), Automatons.patterns("internal:transport/proxy/*"))); // no proxy actions for system user!
 
     private SystemPrivilege() {

plugin/src/test/java/org/elasticsearch/xpack/security/authz/privilege/PrivilegeTests.java

@@ -123,5 +123,8 @@ public class PrivilegeTests extends ESTestCase {
         assertThat(predicate.test("indices:admin/mapping/put"), is(true));
         assertThat(predicate.test("indices:admin/mapping/whatever"), is(false));
         assertThat(predicate.test("internal:transport/proxy/indices:data/read/query"), is(false));
+        assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync"), is(true));
+        assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync[p]"), is(true));
+        assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync[r]"), is(true));
     }
 }