Allow reserved privileges to coexist with other privileges (#98530)

x-pack/plugins/security/common/constants.ts

@@ -17,6 +17,12 @@ export const UNKNOWN_SPACE = '?';
 
 export const GLOBAL_RESOURCE = '*';
 export const APPLICATION_PREFIX = 'kibana-';
+
+/**
+ * Reserved application privileges are always assigned to this "wildcard" application.
+ * This allows them to be applied to any Kibana "tenant" (`kibana.index`). Since reserved privileges are always assigned to reserved (built-in) roles,
+ * it's not possible to know the tenant ahead of time.
+ */
 export const RESERVED_PRIVILEGES_APPLICATION_WILDCARD = 'kibana-*';
 
 /**

x-pack/plugins/security/public/management/roles/edit_role/privileges/kibana/space_aware_privilege_section/privilege_space_table.test.tsx

@@ -742,6 +742,21 @@ describe('global base read', () => {
   });
 });
 
+describe('global and reserved', () => {
+  it('base all, reserved_foo', () => {
+    const props = buildProps([
+      { spaces: ['*'], base: ['all'], feature: {} },
+      { spaces: ['*'], base: [], feature: {}, _reserved: ['foo'] },
+    ]);
+    const component = mountWithIntl(<PrivilegeSpaceTable {...props} />);
+    const actualTable = getTableFromComponent(component);
+    expect(actualTable).toEqual([
+      { spaces: ['*'], privileges: { summary: 'Foo', overridden: false } },
+      { spaces: ['*'], privileges: { summary: 'All', overridden: false } },
+    ]);
+  });
+});
+
 describe('global normal feature privilege all', () => {
   describe('default and marketing space', () => {
     it('base all', () => {

x-pack/plugins/security/server/routes/authorization/roles/get.test.ts

@@ -285,7 +285,7 @@ describe('GET role', () => {
               indices: [],
               applications: [
                 {
-                  application,
+                  application: reservedPrivilegesApplicationWildcard,
                   privileges: ['reserved_customApplication1', 'reserved_customApplication2'],
                   resources: ['*'],
                 },

x-pack/plugins/security/server/routes/authorization/roles/get_all.test.ts

@@ -283,7 +283,7 @@ describe('GET all roles', () => {
               indices: [],
               applications: [
                 {
-                  application,
+                  application: reservedPrivilegesApplicationWildcard,
                   privileges: ['reserved_customApplication1', 'reserved_customApplication2'],
                   resources: ['*'],
                 },
@@ -1030,7 +1030,7 @@ describe('GET all roles', () => {
     );
 
     getRolesTest(
-      `reserved privilege assigned with a feature privilege returns empty kibana section with _transform_error set to ['kibana']`,
+      `reserved privilege assigned with a feature privilege returns populated kibana section`,
       {
         apiResponse: async () => ({
           first_role: {
@@ -1039,7 +1039,12 @@ describe('GET all roles', () => {
             applications: [
               {
                 application,
-                privileges: ['reserved_foo', 'feature_foo.foo-privilege-1'],
+                privileges: ['feature_foo.foo-privilege-1'],
+                resources: ['*'],
+              },
+              {
+                application: reservedPrivilegesApplicationWildcard,
+                privileges: ['reserved_foo'],
                 resources: ['*'],
               },
             ],
@@ -1068,8 +1073,22 @@ describe('GET all roles', () => {
                 indices: [],
                 run_as: [],
               },
-              kibana: [],
-              _transform_error: ['kibana'],
+              kibana: [
+                {
+                  base: [],
+                  feature: {
+                    foo: ['foo-privilege-1'],
+                  },
+                  spaces: ['*'],
+                },
+                {
+                  base: [],
+                  feature: {},
+                  _reserved: ['foo'],
+                  spaces: ['*'],
+                },
+              ],
+              _transform_error: [],
               _unrecognized_applications: [],
             },
           ],

x-pack/plugins/security/server/routes/authorization/roles/model/elasticsearch_role.ts

@@ -83,6 +83,21 @@ function transformRoleApplicationsToKibanaPrivileges(
     };
   }
 
+  // if there is a reserved privilege assigned to an application other than the reserved privileges application wildcard, we won't transform these.
+  if (
+    roleKibanaApplications.some(
+      (entry) =>
+        entry.application !== RESERVED_PRIVILEGES_APPLICATION_WILDCARD &&
+        entry.privileges.some((privilege) =>
+          PrivilegeSerializer.isSerializedReservedPrivilege(privilege)
+        )
+    )
+  ) {
+    return {
+      success: false,
+    };
+  }
+
   // if space privilege assigned globally, we can't transform these
   if (
     roleKibanaApplications.some(
@@ -115,23 +130,6 @@ function transformRoleApplicationsToKibanaPrivileges(
     };
   }
 
-  // if reserved privilege assigned with feature or base privileges, we won't transform these
-  if (
-    roleKibanaApplications.some(
-      (entry) =>
-        entry.privileges.some((privilege) =>
-          PrivilegeSerializer.isSerializedReservedPrivilege(privilege)
-        ) &&
-        entry.privileges.some(
-          (privilege) => !PrivilegeSerializer.isSerializedReservedPrivilege(privilege)
-        )
-    )
-  ) {
-    return {
-      success: false,
-    };
-  }
-
   // if base privilege assigned with feature privileges, we won't transform these
   if (
     roleKibanaApplications.some(
@@ -163,7 +161,10 @@ function transformRoleApplicationsToKibanaPrivileges(
     };
   }
 
-  const allResources = roleKibanaApplications.map((entry) => entry.resources).flat();
+  const allResources = roleKibanaApplications
+    .filter((entry) => entry.application !== RESERVED_PRIVILEGES_APPLICATION_WILDCARD)
+    .flatMap((entry) => entry.resources);
+
   // if we have improperly formatted resource entries, we can't transform these
   if (
     allResources.some(