[Fleet] Custom permissions for connector package (#192081)

## Summary

Defines custom permissions for connector package. 

Note: Wait with merging until
elastic/elasticsearch#112556 is merged


### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

+ tested e2e with local ES, fleet server and connectors package

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Sean Story <sean.j.story@gmail.com>
Co-authored-by: Artem Shelkovnikov <lavatroublebubble@gmail.com>
Co-authored-by: Artem Shelkovnikov <artem.shelkovnikov@elastic.co>

x-pack/plugins/fleet/common/constants/epm.ts

@@ -27,6 +27,7 @@ export const FLEET_CLOUD_SECURITY_POSTURE_CSPM_POLICY_TEMPLATE = 'cspm';
 export const FLEET_CLOUD_SECURITY_POSTURE_CNVM_POLICY_TEMPLATE = 'vuln_mgmt';
 export const FLEET_CLOUD_DEFEND_PACKAGE = 'cloud_defend';
 export const FLEET_CLOUD_BEAT_PACKAGE = 'cloudbeat';
+export const FLEET_CONNECTORS_PACKAGE = 'elastic_connectors';
 
 export const GLOBAL_DATA_TAG_EXCLUDED_INPUTS = new Set<string>([
   FLEET_APM_PACKAGE,

x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.test.ts

@@ -11,6 +11,7 @@ import type { PackagePolicy, RegistryDataStream } from '../../types';
 
 import type { DataStreamMeta } from './package_policies_to_agent_permissions';
 import {
+  ELASTIC_CONNECTORS_INDEX_PERMISSIONS,
   getDataStreamPrivileges,
   storedPackagePoliciesToAgentPermissions,
   UNIVERSAL_PROFILING_PERMISSIONS,
@@ -281,6 +282,48 @@ packageInfoCache.set('apm-8.9.0-preview', {
   },
 });
 
+packageInfoCache.set('elastic_connectors-1.0.0', {
+  format_version: '2.7.0',
+  name: 'elastic_connectors',
+  title: 'Elastic Connectors',
+  version: '1.0.0',
+  license: 'basic',
+  description: 'Sync data from source to the Elasticsearch index.',
+  type: 'integration',
+  release: 'beta',
+  categories: ['connector'],
+  icons: [],
+  owner: { github: 'elastic/ingestion-team' },
+  data_streams: [],
+  latestVersion: '1.0.0',
+  status: 'not_installed',
+  assets: {
+    kibana: {
+      csp_rule_template: [],
+      dashboard: [],
+      visualization: [],
+      search: [],
+      index_pattern: [],
+      map: [],
+      lens: [],
+      security_rule: [],
+      ml_module: [],
+      tag: [],
+      osquery_pack_asset: [],
+      osquery_saved_query: [],
+    },
+    elasticsearch: {
+      component_template: [],
+      ingest_pipeline: [],
+      ilm_policy: [],
+      transform: [],
+      index_template: [],
+      data_stream_ilm_policy: [],
+      ml_model: [],
+    },
+  },
+});
+
 describe('storedPackagePoliciesToAgentPermissions()', () => {
   it('Returns `undefined` if there are no package policies', async () => {
     const permissions = await storedPackagePoliciesToAgentPermissions(packageInfoCache, 'test', []);
@@ -761,3 +804,51 @@ describe('getDataStreamPrivileges()', () => {
     });
   });
 });
+
+it('Returns the Elastic Connectors permissions for elastic_connectors package', async () => {
+  const packagePolicies: PackagePolicy[] = [
+    {
+      id: 'package-policy-uuid-test-123',
+      name: 'test-policy',
+      namespace: '',
+      enabled: true,
+      package: { name: 'elastic_connectors', version: '1.0.0', title: 'Elastic Connectors' },
+      inputs: [
+        {
+          type: 'connectors-py',
+          enabled: true,
+          streams: [],
+        },
+      ],
+      created_at: '',
+      updated_at: '',
+      created_by: '',
+      updated_by: '',
+      revision: 1,
+      policy_id: '',
+      policy_ids: [''],
+    },
+  ];
+
+  const permissions = await storedPackagePoliciesToAgentPermissions(
+    packageInfoCache,
+    'test',
+    packagePolicies
+  );
+
+  expect(permissions).toMatchObject({
+    'package-policy-uuid-test-123': {
+      cluster: ['manage_connector'],
+      indices: [
+        {
+          names: ['.elastic-connectors*'],
+          privileges: ELASTIC_CONNECTORS_INDEX_PERMISSIONS,
+        },
+        {
+          names: ['content-*', '.search-acl-filter-*'],
+          privileges: ELASTIC_CONNECTORS_INDEX_PERMISSIONS,
+        },
+      ],
+    },
+  });
+});

x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts

@@ -12,6 +12,7 @@ import type {
 
 import {
   FLEET_APM_PACKAGE,
+  FLEET_CONNECTORS_PACKAGE,
   FLEET_UNIVERSAL_PROFILING_COLLECTOR_PACKAGE,
   FLEET_UNIVERSAL_PROFILING_SYMBOLIZER_PACKAGE,
 } from '../../../common/constants';
@@ -41,6 +42,15 @@ export const UNIVERSAL_PROFILING_PERMISSIONS = [
   'view_index_metadata',
 ];
 
+export const ELASTIC_CONNECTORS_INDEX_PERMISSIONS = [
+  'read',
+  'write',
+  'monitor',
+  'create_index',
+  'auto_configure',
+  'maintenance',
+];
+
 export function storedPackagePoliciesToAgentPermissions(
   packageInfoCache: Map<string, PackageInfo>,
   agentPolicyNamespace: string,
@@ -79,6 +89,10 @@ export function storedPackagePoliciesToAgentPermissions(
       return apmPermissions(packagePolicy.id);
     }
 
+    if (pkg.name === FLEET_CONNECTORS_PACKAGE) {
+      return connectorServicePermissions(packagePolicy.id);
+    }
+
     const dataStreams = getNormalizedDataStreams(pkg);
     if (!dataStreams || dataStreams.length === 0) {
       return [packagePolicy.name, undefined];
@@ -247,3 +261,22 @@ function apmPermissions(packagePolicyId: string): [string, SecurityRoleDescripto
     },
   ];
 }
+
+function connectorServicePermissions(packagePolicyId: string): [string, SecurityRoleDescriptor] {
+  return [
+    packagePolicyId,
+    {
+      cluster: ['manage_connector'],
+      indices: [
+        {
+          names: ['.elastic-connectors*'],
+          privileges: ELASTIC_CONNECTORS_INDEX_PERMISSIONS,
+        },
+        {
+          names: ['content-*', '.search-acl-filter-*'],
+          privileges: ELASTIC_CONNECTORS_INDEX_PERMISSIONS,
+        },
+      ],
+    },
+  ];
+}