[Fleet] Custom permissions for connector package

x-pack/plugins/fleet/common/constants/epm.ts

@@ -26,6 +26,7 @@ export const FLEET_CLOUD_SECURITY_POSTURE_CSPM_POLICY_TEMPLATE = 'cspm';
 export const FLEET_CLOUD_SECURITY_POSTURE_CNVM_POLICY_TEMPLATE = 'vuln_mgmt';
 export const FLEET_CLOUD_DEFEND_PACKAGE = 'cloud_defend';
 export const FLEET_CLOUD_BEAT_PACKAGE = 'cloudbeat';
+export const FLEET_CONNECTORS_PACKAGE = 'elastic_connectors';
 
 export const GLOBAL_DATA_TAG_EXCLUDED_INPUTS = new Set<string>([
   FLEET_APM_PACKAGE,

x-pack/plugins/fleet/server/services/agent_policies/full_agent_policy.ts

@@ -239,6 +239,7 @@ export async function getFullAgentPolicy(
       agentPolicy.namespace,
       packagePolicies
     );
+    console.log(dataPermissions);
     dataPermissionsByOutputId[outputId] = {
       _elastic_agent_checks: {
         cluster: DEFAULT_CLUSTER_PERMISSIONS,

x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts

@@ -12,6 +12,7 @@ import type {
 
 import {
   FLEET_APM_PACKAGE,
+  FLEET_CONNECTORS_PACKAGE,
   FLEET_UNIVERSAL_PROFILING_COLLECTOR_PACKAGE,
   FLEET_UNIVERSAL_PROFILING_SYMBOLIZER_PACKAGE,
 } from '../../../common/constants';
@@ -41,6 +42,16 @@ export const UNIVERSAL_PROFILING_PERMISSIONS = [
   'view_index_metadata',
 ];
 
+export const CONNECTOR_SERVICE_PERMISSIONS = [
+  'auto_configure',
+  'read',
+  'create_doc',
+  'create',
+  'write',
+  'index',
+  'view_index_metadata',
+];
+
 export function storedPackagePoliciesToAgentPermissions(
   packageInfoCache: Map<string, PackageInfo>,
   agentPolicyNamespace: string,
@@ -79,6 +90,10 @@ export function storedPackagePoliciesToAgentPermissions(
       return apmPermissions(packagePolicy.id);
     }
 
+    if (pkg.name === FLEET_CONNECTORS_PACKAGE) {
+      return connectorServicePermissions(packagePolicy.id);
+    }
+
     const dataStreams = getNormalizedDataStreams(pkg);
     if (!dataStreams || dataStreams.length === 0) {
       return [packagePolicy.name, undefined];
@@ -247,3 +262,26 @@ function apmPermissions(packagePolicyId: string): [string, SecurityRoleDescripto
     },
   ];
 }
+
+function connectorServicePermissions(packagePolicyId: string): [string, SecurityRoleDescriptor] {
+  return [
+    packagePolicyId,
+    {
+      cluster: ['manage_connector'],
+      indices: [
+        {
+          names: ['traces-*', 'logs-*', 'metrics-*'],
+          privileges: ['auto_configure', 'create_doc'],
+        },
+        {
+          names: ['.elastic-connectors*'],
+          privileges: ['manage', 'read', 'write'],
+        },
+        {
+          names: ['search-*'],
+          privileges: ['manage', 'read', 'write'],
+        },
+      ],
+    },
+  ];
+}