Reloading remote cluster credentials via API fails for users with `manage` privilege

[n1v0lg]

Elasticsearch Version

8.13.0 or higher.

Java Version

bundled

Problem Description

The Nodes reload secure settings API requires the manage cluster privilege.

In clusters running versions >=8.13.0, however, it fails to reload remote cluster credentials for the API key-based remote cluster security model, unless users have the all cluster privilege (or manage AND manage_security).

Any call made by a user with only manage results in the following error message:

"reason" : "action [cluster:admin/xpack/security/remote_cluster_credentials/reload] is unauthorized for user [<...>] with effective roles [<...>], this action is granted by the cluster privileges [manage_security,all]"

This error message is misleading since all secure settings, apart from remote cluster credentials, still reload successfully for users with only manage cluster privileges.

To reload remote cluster credentials, the workaround is to make the reload request with a user with the all cluster privilege (or manage AND manage_security).

Reloading other secure settings is still possible with only the manage cluster privilege, and the reported error can be ignored.

This is a regression introduced by: #103215

Steps to Reproduce

Create role and user with manage privilege:

PUT /_security/role/role
{
    "cluster": [
        "manage"
    ]
}

PUT /_security/user/user
{
    "password": "<...>",
    "roles": ["role"]
}

Call the reload settings API with that user:

POST /_nodes/reload_secure_settings

This will result in an error message with failure reason:

"reason" : "action [cluster:admin/xpack/security/remote_cluster_credentials/reload] is unauthorized for user [user] with effective roles [role], this action is granted by the cluster privileges [manage_security,all]"

Logs (if relevant)

No response

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)