Grant necessary Kibana application privileges to reporting_user role

[slobodanadamovic]

Previously, Kibana was authorizing (and granting application privileges) to create reports, simply based on the reporting_user role name. This PR makes these application privileges explicitly granted to the reporting_user role.

[elasticsearchmachine]

Hi @slobodanadamovic, I've created a changelog YAML for you.

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[slobodanadamovic]

These are only test examples of allowed actions and are not ment to represent the accurate list of actions.

[jfreden]

Since we're adding this I assume this is no longer considered a deprecated role, so I think this can be removed?

[jfreden]

Looks like the description might be outdated? Since we're doing this we might want to update it.

[slobodanadamovic]

Since we're adding this I assume this is no longer considered a deprecated role, so I think this can be removed?

Good question!

@tsullivan Can correct me, but my understanding is that we still want to keep it deprecated, just to make sure it grants necessary application privileges. The preferred way should still be to create a custom role with the least app privileges.

Edit: I just saw this PR, which confirms that we should remove the deprecation warning (but would be nice to confirm):

assign the built-in reporting_user role the necessary Kibana application privileges, and make the role not marked as deprecated.

[tsullivan]

I confirm that the Kibana team requests that we do remove the deprecated status of this role.

Removing the deprecated status will stop warning messages from being logged, which are not useful or meaningful to users.

Thank you very much!

[tsullivan]

BTW

The preferred way should still be to create a custom role with the least app privileges.

I think this is accurate, as granting the least app privileges should be recommended. Also worth mentioning, the documentation page linked here is in need of some updates for 8.x. It should offer more clarity about what the xpack.reporting.roles.enabled setting actually does.

[slobodanadamovic]

Pushed cbd0742 and 4217052, which remove deprecation warning and update docs and description of reporting_user role. Let me know if the updated description makes sense.

[slobodanadamovic]

Looks like the description might be outdated? Since we're doing this we might want to update it.

Nice catch! Totally, we should update it.

[jfreden]

👍 LGTM!

[tsullivan]

Request changes in the built-in documentation, because the reporting_user role does not grant direct access to the reporting indices

[tsullivan]

Suggested change

	to the reporting indices, with each user having access only to their own reports.
	to all Kibana reporting features, with each user having access only to their own reports.

[tsullivan]

Suggested change

	+ "including generating and downloading reports. This role implicitly grants access to the reporting indices, "
	+ "including generating and downloading reports. This role implicitly grants access to all Kibana reporting features, "