From 157371b13bd9acb40fbd44f4a60c57e1301c1ca8 Mon Sep 17 00:00:00 2001
From: Oliver Gupte <olivergupte@gmail.com>
Date: Mon, 16 Sep 2019 16:13:45 -0700
Subject: [PATCH 1/3] Give kibana user reserved role privileges on .apm-* to
 create APM agent configuration index.

---
 .../xpack/core/security/authz/store/ReservedRolesStore.java    | 3 +++
 .../core/security/authz/store/ReservedRolesStoreTests.java     | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
index 209686033534b..a34d4a1e1244b 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -123,6 +123,9 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                                 // .code_internal-* is for Code's internal worker queue index creation.
                                 RoleDescriptor.IndicesPrivileges.builder()
                                         .indices(".code-*", ".code_internal-*").privileges("all").build(),
+                                // .apm-* is for APM's agent configuration index creation
+                                RoleDescriptor.IndicesPrivileges.builder()
+                                        .indices(".apm-*").privileges("all").build(),
                         },
                         null,
                         new ConfigurableClusterPrivilege[] { new ManageApplicationPrivileges(Collections.singleton("kibana-*")) },
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
index 3b954b06c269f..7b50970620e5d 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -420,6 +420,8 @@ public void testKibanaUserRole() {
             "*"), is(false));
 
         assertNoAccessAllowed(kibanaUserRole, RestrictedIndicesNames.RESTRICTED_NAMES);
+
+        assertThat(kibanaUserRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".apm-agent-configuration"), is(true));
     }
 
     public void testMonitoringUserRole() {

From c690ae8df11a8fc8d069a0e13a57b7673e462280 Mon Sep 17 00:00:00 2001
From: Oliver Gupte <olivergupte@gmail.com>
Date: Mon, 16 Sep 2019 17:27:27 -0700
Subject: [PATCH 2/3] fixed test to include checking all .apm-* permissions

---
 .../security/authz/store/ReservedRolesStoreTests.java    | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
index 7b50970620e5d..bc3456ce758e8 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -334,7 +334,12 @@ public void testKibanaSystemRole() {
         assertThat(kibanaRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".reporting"), is(false));
         assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)), is(false));
 
-        Arrays.asList(".kibana", ".kibana-devnull", ".reporting-" + randomAlphaOfLength(randomIntBetween(0, 13))).forEach((index) -> {
+        Arrays.asList(
+            ".kibana",
+            ".kibana-devnull",
+            ".reporting-" + randomAlphaOfLength(randomIntBetween(0, 13)),
+            ".apm-" + randomAlphaOfLength(randomIntBetween(0, 13))
+        ).forEach((index) -> {
             logger.info("index name [{}]", index);
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(index), is(true));
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(index), is(true));
@@ -420,8 +425,6 @@ public void testKibanaUserRole() {
             "*"), is(false));
 
         assertNoAccessAllowed(kibanaUserRole, RestrictedIndicesNames.RESTRICTED_NAMES);
-
-        assertThat(kibanaUserRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".apm-agent-configuration"), is(true));
     }
 
     public void testMonitoringUserRole() {

From 4f5fed133acbb9f116580186ee382818e74e0e82 Mon Sep 17 00:00:00 2001
From: Oliver Gupte <olivergupte@gmail.com>
Date: Tue, 17 Sep 2019 09:50:15 -0700
Subject: [PATCH 3/3] changed pattern from ".apm-*" to the more specific
 ".apm-agent-configuration"

---
 .../xpack/core/security/authz/store/ReservedRolesStore.java     | 2 +-
 .../core/security/authz/store/ReservedRolesStoreTests.java      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
index a34d4a1e1244b..fcd0c24606e49 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -125,7 +125,7 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                                         .indices(".code-*", ".code_internal-*").privileges("all").build(),
                                 // .apm-* is for APM's agent configuration index creation
                                 RoleDescriptor.IndicesPrivileges.builder()
-                                        .indices(".apm-*").privileges("all").build(),
+                                        .indices(".apm-agent-configuration").privileges("all").build(),
                         },
                         null,
                         new ConfigurableClusterPrivilege[] { new ManageApplicationPrivileges(Collections.singleton("kibana-*")) },
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
index bc3456ce758e8..f1e7f1a9bfe42 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -338,7 +338,7 @@ public void testKibanaSystemRole() {
             ".kibana",
             ".kibana-devnull",
             ".reporting-" + randomAlphaOfLength(randomIntBetween(0, 13)),
-            ".apm-" + randomAlphaOfLength(randomIntBetween(0, 13))
+            ".apm-agent-configuration"
         ).forEach((index) -> {
             logger.info("index name [{}]", index);
             assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(index), is(true));