Restrict Connector APIs to manage/monitor_connector privileges

docs/changelog/119863.yaml

@@ -0,0 +1,11 @@
+pr: 119863
+summary: Restrict Connector APIs to manage/monitor_connector privileges
+area: Extract&Transform
+type: breaking
+issues: []
+breaking:
+ title: Restrict Connector APIs to manage/monitor_connector privileges
+ area: REST API
+ details: Connector APIs now enforce the manage_connector and monitor_connector privileges (introduced in 8.15), replacing the previous reliance on index-level permissions for .elastic-connectors and .elastic-connectors-sync-jobs in API calls.
+ impact: Connector APIs now require manage_connector and monitor_connector privileges
+ notable: false

x-pack/plugin/ent-search/qa/rest/roles.yml

@@ -4,13 +4,12 @@ admin:
  - manage_behavioral_analytics
  - manage
  - monitor
+ - manage_connector
  indices:
  - names: [
  # indices and search applications
  "test-*",
  "another-test-search-application",
- ".elastic-connectors-v1",
- ".elastic-connectors-sync-jobs-v1"
  ]
  privileges: [ "manage", "write", "read" ]
 
@@ -20,16 +19,15 @@ user:
  - manage_api_key
  - read_connector_secrets
  - write_connector_secrets
+ - monitor_connector
  indices:
  - names: [
  "test-index1",
  "test-search-application",
  "test-search-application-1",
  "test-search-application-with-aggs",
  "test-search-application-with-list",
- "test-search-application-with-list-invalid",
- ".elastic-connectors-v1",
- ".elastic-connectors-sync-jobs-v1"
+ "test-search-application-with-list-invalid"
  ]
  privileges: [ "read" ]
 

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/ConnectorActionRequest.java

@@ -9,23 +9,19 @@
 
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
-import org.elasticsearch.action.IndicesRequest;
-import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.cluster.metadata.MetadataCreateIndexService;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.indices.InvalidIndexNameException;
-import org.elasticsearch.xpack.application.connector.ConnectorTemplateRegistry;
 
 import java.io.IOException;
 
 import static org.elasticsearch.action.ValidateActions.addValidationError;
 import static org.elasticsearch.xpack.application.connector.ConnectorTemplateRegistry.MANAGED_CONNECTOR_INDEX_PREFIX;
 
 /**
- * Abstract base class for action requests targeting the connectors index. Implements {@link org.elasticsearch.action.IndicesRequest}
- * to ensure index-level privilege support. This class defines the connectors index as the target for all derived action requests.
+ * Abstract base class for action requests targeting the connectors index.
  */
-public abstract class ConnectorActionRequest extends ActionRequest implements IndicesRequest {
+public abstract class ConnectorActionRequest extends ActionRequest {
 
  public ConnectorActionRequest() {
  super();
@@ -78,14 +74,4 @@ public ActionRequestValidationException validateManagedConnectorIndexPrefix(
  }
  return validationException;
  }
-
- @Override
- public String[] indices() {
- return new String[] { ConnectorTemplateRegistry.CONNECTOR_INDEX_NAME_PATTERN };
- }
-
- @Override
- public IndicesOptions indicesOptions() {
- return IndicesOptions.lenientExpandHidden();
- }
 }

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/DeleteConnectorAction.java

@@ -18,7 +18,6 @@
 import org.elasticsearch.xcontent.ToXContentObject;
 import org.elasticsearch.xcontent.XContentBuilder;
 import org.elasticsearch.xcontent.XContentParser;
-import org.elasticsearch.xpack.application.connector.ConnectorTemplateRegistry;
 
 import java.io.IOException;
 import java.util.Objects;
@@ -28,7 +27,7 @@
 
 public class DeleteConnectorAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/delete";
+ public static final String NAME = "cluster:admin/xpack/connector/delete";
  public static final ActionType<AcknowledgedResponse> INSTANCE = new ActionType<>(NAME);
 
  private DeleteConnectorAction() {/* no instances */}
@@ -71,14 +70,6 @@ public boolean shouldDeleteSyncJobs() {
  return deleteSyncJobs;
  }
 
- @Override
- public String[] indices() {
- // When deleting a connector, corresponding sync jobs can also be deleted
- return new String[] {
- ConnectorTemplateRegistry.CONNECTOR_SYNC_JOBS_INDEX_NAME_PATTERN,
- ConnectorTemplateRegistry.CONNECTOR_INDEX_NAME_PATTERN };
- }
-
  @Override
  public void writeTo(StreamOutput out) throws IOException {
  super.writeTo(out);

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/GetConnectorAction.java

@@ -30,7 +30,7 @@
 
 public class GetConnectorAction {
 
- public static final String NAME = "indices:data/read/xpack/connector/get";
+ public static final String NAME = "cluster:admin/xpack/connector/get";
  public static final ActionType<GetConnectorAction.Response> INSTANCE = new ActionType<>(NAME);
 
  private GetConnectorAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/ListConnectorAction.java

@@ -35,7 +35,7 @@
 
 public class ListConnectorAction {
 
- public static final String NAME = "indices:data/read/xpack/connector/list";
+ public static final String NAME = "cluster:admin/xpack/connector/list";
  public static final ActionType<ListConnectorAction.Response> INSTANCE = new ActionType<>(NAME);
 
  private ListConnectorAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/PostConnectorAction.java

@@ -25,7 +25,7 @@
 
 public class PostConnectorAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/post";
+ public static final String NAME = "cluster:admin/xpack/connector/post";
  public static final ActionType<ConnectorCreateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private PostConnectorAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/PutConnectorAction.java

@@ -9,7 +9,6 @@
 
 import org.elasticsearch.action.ActionRequestValidationException;
 import org.elasticsearch.action.ActionType;
-import org.elasticsearch.action.IndicesRequest;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
@@ -27,12 +26,12 @@
 
 public class PutConnectorAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/put";
+ public static final String NAME = "cluster:admin/xpack/connector/put";
  public static final ActionType<ConnectorCreateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private PutConnectorAction() {/* no instances */}
 
- public static class Request extends ConnectorActionRequest implements IndicesRequest, ToXContentObject {
+ public static class Request extends ConnectorActionRequest implements ToXContentObject {
 
  @Nullable
  private final String connectorId;

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorActiveFilteringAction.java

@@ -22,7 +22,7 @@
 
 public class UpdateConnectorActiveFilteringAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_filtering/activate";
+ public static final String NAME = "cluster:admin/xpack/connector/update_filtering/activate";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorActiveFilteringAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorApiKeyIdAction.java

@@ -27,7 +27,7 @@
 
 public class UpdateConnectorApiKeyIdAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_api_key_id";
+ public static final String NAME = "cluster:admin/xpack/connector/update_api_key_id";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorApiKeyIdAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorConfigurationAction.java

@@ -32,7 +32,7 @@
 
 public class UpdateConnectorConfigurationAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_configuration";
+ public static final String NAME = "cluster:admin/xpack/connector/update_configuration";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorConfigurationAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorErrorAction.java

@@ -27,7 +27,7 @@
 
 public class UpdateConnectorErrorAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_error";
+ public static final String NAME = "cluster:admin/xpack/connector/update_error";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorErrorAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorFeaturesAction.java

@@ -27,7 +27,7 @@
 
 public class UpdateConnectorFeaturesAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_features";
+ public static final String NAME = "cluster:admin/xpack/connector/update_features";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorFeaturesAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorFilteringAction.java

@@ -32,7 +32,7 @@
 
 public class UpdateConnectorFilteringAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_filtering";
+ public static final String NAME = "cluster:admin/xpack/connector/update_filtering";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorFilteringAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorFilteringValidationAction.java

@@ -27,7 +27,7 @@
 
 public class UpdateConnectorFilteringValidationAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_filtering/draft_validation";
+ public static final String NAME = "cluster:admin/xpack/connector/update_filtering/draft_validation";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorFilteringValidationAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorIndexNameAction.java

@@ -27,7 +27,7 @@
 
 public class UpdateConnectorIndexNameAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_index_name";
+ public static final String NAME = "cluster:admin/xpack/connector/update_index_name";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorIndexNameAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorLastSeenAction.java

@@ -23,7 +23,7 @@
 
 public class UpdateConnectorLastSeenAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_last_seen";
+ public static final String NAME = "cluster:admin/xpack/connector/update_last_seen";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorLastSeenAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorLastSyncStatsAction.java

@@ -32,7 +32,7 @@
 
 public class UpdateConnectorLastSyncStatsAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_last_sync_stats";
+ public static final String NAME = "cluster:admin/xpack/connector/update_last_sync_stats";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorLastSyncStatsAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorNameAction.java

@@ -27,7 +27,7 @@
 
 public class UpdateConnectorNameAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_name";
+ public static final String NAME = "cluster:admin/xpack/connector/update_name";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorNameAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorNativeAction.java

@@ -26,7 +26,7 @@
 
 public class UpdateConnectorNativeAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_native";
+ public static final String NAME = "cluster:admin/xpack/connector/update_native";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorNativeAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorPipelineAction.java

@@ -27,7 +27,7 @@
 
 public class UpdateConnectorPipelineAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_pipeline";
+ public static final String NAME = "cluster:admin/xpack/connector/update_pipeline";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorPipelineAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorSchedulingAction.java

@@ -32,7 +32,7 @@
 
 public class UpdateConnectorSchedulingAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_scheduling";
+ public static final String NAME = "cluster:admin/xpack/connector/update_scheduling";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorSchedulingAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorServiceTypeAction.java

@@ -26,7 +26,7 @@
 
 public class UpdateConnectorServiceTypeAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_service_type";
+ public static final String NAME = "cluster:admin/xpack/connector/update_service_type";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  private UpdateConnectorServiceTypeAction() {/* no instances */}

x-pack/plugin/ent-search/src/main/java/org/elasticsearch/xpack/application/connector/action/UpdateConnectorStatusAction.java

@@ -28,7 +28,7 @@
 
 public class UpdateConnectorStatusAction {
 
- public static final String NAME = "indices:data/write/xpack/connector/update_status";
+ public static final String NAME = "cluster:admin/xpack/connector/update_status";
  public static final ActionType<ConnectorUpdateActionResponse> INSTANCE = new ActionType<>(NAME);
 
  public UpdateConnectorStatusAction() {/* no instances */}