[7.x] Add telemetry as an automatic privilege grant (#77390) (#77774)

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Author: legrego

src/plugins/telemetry/server/routes/telemetry_opt_in.ts

@@ -26,6 +26,7 @@ import {
   StatsGetterConfig,
   TelemetryCollectionManagerPluginSetup,
 } from 'src/plugins/telemetry_collection_manager/server';
+import { SavedObjectsErrorHelpers } from '../../../../core/server';
 import { getTelemetryAllowChangingOptInStatus } from '../../common/telemetry_config';
 import { sendTelemetryOptInStatus } from './telemetry_opt_in_stats';
 
@@ -109,7 +110,13 @@ export function registerTelemetryOptInRoutes({
         });
       }
 
-      await updateTelemetrySavedObject(context.core.savedObjects.client, attributes);
+      try {
+        await updateTelemetrySavedObject(context.core.savedObjects.client, attributes);
+      } catch (e) {
+        if (SavedObjectsErrorHelpers.isForbiddenError(e)) {
+          return res.forbidden();
+        }
+      }
       return res.ok({ body: optInStatus });
     }
   );

x-pack/plugins/features/server/feature_registry.test.ts

@@ -57,7 +57,7 @@ describe('FeatureRegistry', () => {
           read: {
             savedObject: {
               all: [],
-              read: ['config', 'url'],
+              read: ['config', 'url', 'telemetry'],
             },
             ui: [],
           },
@@ -230,7 +230,7 @@ describe('FeatureRegistry', () => {
       expect(allPrivilege?.savedObject.all).toEqual(['telemetry']);
     });
 
-    it(`automatically grants 'read' access to config and url saved objects for both privileges`, () => {
+    it(`automatically grants access to config, url, and telemetry saved objects`, () => {
       const feature: KibanaFeatureConfig = {
         id: 'test-feature',
         name: 'Test Feature',
@@ -263,7 +263,7 @@ describe('FeatureRegistry', () => {
       const allPrivilege = result[0].privileges?.all;
       const readPrivilege = result[0].privileges?.read;
       expect(allPrivilege?.savedObject.read).toEqual(['config', 'url']);
-      expect(readPrivilege?.savedObject.read).toEqual(['config', 'url']);
+      expect(readPrivilege?.savedObject.read).toEqual(['config', 'telemetry', 'url']);
     });
 
     it(`automatically grants 'all' access to telemetry and 'read' to [config, url] saved objects for the reserved privilege`, () => {
@@ -332,7 +332,7 @@ describe('FeatureRegistry', () => {
       const readPrivilege = result[0].privileges!.read;
       expect(allPrivilege?.savedObject.all).toEqual(['telemetry']);
       expect(allPrivilege?.savedObject.read).toEqual(['config', 'url']);
-      expect(readPrivilege?.savedObject.read).toEqual(['config', 'url']);
+      expect(readPrivilege?.savedObject.read).toEqual(['config', 'url', 'telemetry']);
     });
 
     it(`does not allow duplicate features to be registered`, () => {

x-pack/plugins/features/server/feature_registry.ts

@@ -97,7 +97,12 @@ function applyAutomaticReadPrivilegeGrants(
 ) {
   readPrivileges.forEach((readPrivilege) => {
     if (readPrivilege) {
-      readPrivilege.savedObject.read = uniq([...readPrivilege.savedObject.read, 'config', 'url']);
+      readPrivilege.savedObject.read = uniq([
+        ...readPrivilege.savedObject.read,
+        'config',
+        'telemetry',
+        'url',
+      ]);
     }
   });
 }