## Summary

Adds necessary permissions to write to the `agentless-*` index. See:
- Elasticsearch PR: elastic/elasticsearch#118644
- Context: elastic/security-team#11104

As part of elastic/security-team#11104, we
need to write integration data that needs to be persistent. The
implementation we are working on, uses Elasticsearch as the storage
mechanism for this data.

Normally, integrations write to data streams instead of normal ES
indices. However, data streams cannot provide a generic implementation
for our use case and thus we need a normal ES index.

This PR grants permissions from the fleet service account to the
agentless integrations to write to `agentless-*` ES indices.

In
`x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts`
there are other examples of other integrations that need ES index
permissions so there is prior art in doing this. The difference with
this PR however, is that we need to conditionally merge the extra
`agentless-*` permissions with any potential existing data stream
permissions since we are dealing with arbitrary agentless integrations.

# Backport

This will backport the following commits from `main` to `8.x`:
- [Conditionally add agentless index permissions
(#203810)](#203810)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Orestis
Floros","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-07T12:34:54Z","message":"Conditionally
add agentless index permissions (#203810)\n\n## Summary\n\nAdds
necessary permissions to write to the `agentless-*` index. See:\n-
Elasticsearch PR:
https://github.com/elastic/elasticsearch/pull/118644\n- Context:
https://github.com/elastic/security-team/issues/11104\n\nAs part of
elastic/security-team#11104, we\nneed to write
integration data that needs to be persistent. The\nimplementation we are
working on, uses Elasticsearch as the storage\nmechanism for this
data.\n\nNormally, integrations write to data streams instead of normal
ES\nindices. However, data streams cannot provide a generic
implementation\nfor our use case and thus we need a normal ES
index.\n\nThis PR grants permissions from the fleet service account to
the\nagentless integrations to write to `agentless-*` ES
indices.\n\nIn\n`x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts`\nthere
are other examples of other integrations that need ES index\npermissions
so there is prior art in doing this. The difference with\nthis PR
however, is that we need to conditionally merge the extra\n`agentless-*`
permissions with any potential existing data stream\npermissions since
we are dealing with arbitrary agentless
integrations.","sha":"d0166b6730e8cf712aa0f7fc3a38f00fa7693396","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v9.0.0","Team:Cloud
Security","backport:prev-minor","ci:build-serverless-image","v8.18.0"],"number":203810,"url":"https://github.com/elastic/kibana/pull/203810","mergeCommit":{"message":"Conditionally
add agentless index permissions (#203810)\n\n## Summary\n\nAdds
necessary permissions to write to the `agentless-*` index. See:\n-
Elasticsearch PR:
https://github.com/elastic/elasticsearch/pull/118644\n- Context:
https://github.com/elastic/security-team/issues/11104\n\nAs part of
elastic/security-team#11104, we\nneed to write
integration data that needs to be persistent. The\nimplementation we are
working on, uses Elasticsearch as the storage\nmechanism for this
data.\n\nNormally, integrations write to data streams instead of normal
ES\nindices. However, data streams cannot provide a generic
implementation\nfor our use case and thus we need a normal ES
index.\n\nThis PR grants permissions from the fleet service account to
the\nagentless integrations to write to `agentless-*` ES
indices.\n\nIn\n`x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts`\nthere
are other examples of other integrations that need ES index\npermissions
so there is prior art in doing this. The difference with\nthis PR
however, is that we need to conditionally merge the extra\n`agentless-*`
permissions with any potential existing data stream\npermissions since
we are dealing with arbitrary agentless
integrations.","sha":"d0166b6730e8cf712aa0f7fc3a38f00fa7693396"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/203810","number":203810,"mergeCommit":{"message":"Conditionally
add agentless index permissions (#203810)\n\n## Summary\n\nAdds
necessary permissions to write to the `agentless-*` index. See:\n-
Elasticsearch PR:
https://github.com/elastic/elasticsearch/pull/118644\n- Context:
https://github.com/elastic/security-team/issues/11104\n\nAs part of
elastic/security-team#11104, we\nneed to write
integration data that needs to be persistent. The\nimplementation we are
working on, uses Elasticsearch as the storage\nmechanism for this
data.\n\nNormally, integrations write to data streams instead of normal
ES\nindices. However, data streams cannot provide a generic
implementation\nfor our use case and thus we need a normal ES
index.\n\nThis PR grants permissions from the fleet service account to
the\nagentless integrations to write to `agentless-*` ES
indices.\n\nIn\n`x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts`\nthere
are other examples of other integrations that need ES index\npermissions
so there is prior art in doing this. The difference with\nthis PR
however, is that we need to conditionally merge the extra\n`agentless-*`
permissions with any potential existing data stream\npermissions since
we are dealing with arbitrary agentless
integrations.","sha":"d0166b6730e8cf712aa0f7fc3a38f00fa7693396"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Closes elastic/security-team#11102
Closes elastic/security-team#11104

This allows agentless integrations (via elastic/beats#41446, elastic/kibana#203810) to write to agentless-* indices. Each index is created on-demand by the filebeat client and kibana conditionally extends the API key permissions to allow writing to the index.

)

Closes elastic/security-team#11102
Closes elastic/security-team#11104

This allows agentless integrations (via elastic/beats#41446, elastic/kibana#203810) to write to agentless-* indices. Each index is created on-demand by the filebeat client and kibana conditionally extends the API key permissions to allow writing to the index.

(cherry picked from commit 3c184b9)

# Conflicts:
#	docs/reference/rest-api/security/get-service-accounts.asciidoc
#	x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java
#	x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java

## Summary

Adds necessary permissions to write to the `agentless-*` index. See:
- Elasticsearch PR: elastic/elasticsearch#118644
- Context: elastic/security-team#11104

As part of elastic/security-team#11104, we
need to write integration data that needs to be persistent. The
implementation we are working on, uses Elasticsearch as the storage
mechanism for this data.

Normally, integrations write to data streams instead of normal ES
indices. However, data streams cannot provide a generic implementation
for our use case and thus we need a normal ES index.

This PR grants permissions from the fleet service account to the
agentless integrations to write to `agentless-*` ES indices.

In
`x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts`
there are other examples of other integrations that need ES index
permissions so there is prior art in doing this. The difference with
this PR however, is that we need to conditionally merge the extra
`agentless-*` permissions with any potential existing data stream
permissions since we are dealing with arbitrary agentless integrations.

…119973)

Closes elastic/security-team#11102
Closes elastic/security-team#11104

This allows agentless integrations (via elastic/beats#41446, elastic/kibana#203810) to write to agentless-* indices. Each index is created on-demand by the filebeat client and kibana conditionally extends the API key permissions to allow writing to the index.

(cherry picked from commit 3c184b9)

# Conflicts:
#	docs/reference/rest-api/security/get-service-accounts.asciidoc
#	x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java
#	x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java