[Monitoring] Add new cluster privilege now necessary for the stack monitoring ui

[chrisronline]

Resolves elastic/kibana#47859

We added a new call in the Stack Monitoring UI that requires this cluster privilege.

To test, create a user with the minimum permissions (roles=[kibana_user, monitoring_user]) and ensure you can access the Stack Monitoring UI in Kibana

[elasticmachine]

Pinging @elastic/es-core-features (:Core/Features/Monitoring)

[pickypg]

For anyone that runs into this issue, there is a workaround for those running 7.4.0 in the short term by creating a temporary, custom role:

PUT /_security/role/fix_monitoring_user
{
  "cluster": [
    "cluster:monitor/remote/info"
  ]
}

then adding it to your monitoring user (the key is the extra role):

PUT /_security/user/my_monitoring_user
{
  "username": "my_monitoring_user",
  "roles": [
    "kibana_user",
    "monitoring_user",
    "fix_monitoring_user"
  ],
  "enabled": true,
  "full_name": "My Monitoring User",
  "email": "my-user@company.test"
}

Note: this implies a user update, since there's no password.

[cachedout]

Based on my recent experience in opening a PR against these files, I think this may need to be reviewed by @elastic/es-security

[igoristic]

Works as expected 🥇

[pickypg]

This needs to update tests in

https://github.com/elastic/elasticsearch/blob/master/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java#L433, which conveniently will provide a chance to use @igoristic's recommendation in the test.

[pickypg]

LGTM.

I'm not sure how the ES team feels about mixing the constants with the static references, so I'll leave that for them to make a final ruling on.

[chrisronline]

There is precedent for doing this right now

EDIT: updated link

[chrisronline]

Backport:

7.4: 1571527
7.x: c57191b