Security: add manage_index_templates to the kibana_system role (elastic/x-pack-elasticsearch#3009)

This commit adds the manage_index_templates permission to the kibana_system role that is used by
the kibana system user. This is needed due to an upcoming feature in kibana where a index template
will be used to create the saved objects index.

relates elastic/x-pack-elasticsearch#2937

Original commit: elastic/x-pack-elasticsearch@85a67c73aa

docs/en/security/authorization.asciidoc

@@ -73,9 +73,9 @@ information, see
 
 [[built-in-roles-kibana-system]] `kibana_system` ::
 Grants access necessary for the {kib} system user to read from and write to the
-{kib} indices and check the availability of the {es} cluster. This role grants
-read access to the `.monitoring-*` indices and read and write access to the
-`.reporting-*` indices. For more information, see
+{kib} indices, manage index templates, and check the availability of the {es} cluster.
+This role grants read access to the `.monitoring-*` indices and read and write access
+to the `.reporting-*` indices. For more information, see
 {kibana-ref}/using-kibana-with-security.html[Configuring Security in {kib}].
 +
 NOTE: This role should not be assigned to users as the granted permissions may

plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java

@@ -73,7 +73,8 @@ public class ReservedRolesStore {
                         },
                         null,
                         MetadataUtils.DEFAULT_RESERVED_METADATA))
-                .put(KibanaUser.ROLE_NAME, new RoleDescriptor(KibanaUser.ROLE_NAME, new String[] { "monitor", MonitoringBulkAction.NAME},
+                .put(KibanaUser.ROLE_NAME, new RoleDescriptor(KibanaUser.ROLE_NAME,
+                        new String[] { "monitor", "manage_index_templates", MonitoringBulkAction.NAME },
                         new RoleDescriptor.IndicesPrivileges[] {
                             RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*", ".reporting-*").privileges("all").build(),
                             RoleDescriptor.IndicesPrivileges.builder()

plugin/src/test/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStoreTests.java

@@ -151,7 +151,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
                 is(false));
     }
 
-    public void testKibanaRole() {
+    public void testKibanaSystemRole() {
         RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("kibana_system");
         assertNotNull(roleDescriptor);
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
@@ -160,7 +160,8 @@ public class ReservedRolesStoreTests extends ESTestCase {
         assertThat(kibanaRole.cluster().check(ClusterHealthAction.NAME), is(true));
         assertThat(kibanaRole.cluster().check(ClusterStateAction.NAME), is(true));
         assertThat(kibanaRole.cluster().check(ClusterStatsAction.NAME), is(true));
-        assertThat(kibanaRole.cluster().check(PutIndexTemplateAction.NAME), is(false));
+        assertThat(kibanaRole.cluster().check(PutIndexTemplateAction.NAME), is(true));
+        assertThat(kibanaRole.cluster().check(GetIndexTemplatesAction.NAME), is(true));
         assertThat(kibanaRole.cluster().check(ClusterRerouteAction.NAME), is(false));
         assertThat(kibanaRole.cluster().check(ClusterUpdateSettingsAction.NAME), is(false));
         assertThat(kibanaRole.cluster().check(MonitoringBulkAction.NAME), is(true));