Fix QueryRoleIT

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java

@@ -412,7 +412,7 @@ static RoleDescriptor kibanaSystem(String name) {
                 new ConfigurableClusterPrivileges.ManageApplicationPrivileges(Set.of("kibana-*")),
                 new ConfigurableClusterPrivileges.WriteProfileDataPrivileges(Set.of("kibana*")) },
             null,
-            MetadataUtils.DEFAULT_RESERVED_METADATA,
+            MetadataUtils.DEFAULT_RESERVED_ROLE_METADATA,
             null,
             new RoleDescriptor.RemoteIndicesPrivileges[] {
                 getRemoteIndicesReadPrivileges(".monitoring-*"),

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

@@ -83,7 +83,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
             RoleDescriptor.ApplicationResourcePrivileges.builder().application("*").privileges("*").resources("*").build() },
         null,
         new String[] { "*" },
-        MetadataUtils.DEFAULT_RESERVED_METADATA,
+        MetadataUtils.DEFAULT_RESERVED_ROLE_METADATA,
         Collections.emptyMap(),
         new RoleDescriptor.RemoteIndicesPrivileges[] {
             new RoleDescriptor.RemoteIndicesPrivileges(
@@ -143,7 +143,7 @@ public ReservedRolesStore(Set<String> includes) {
         RESERVED_ROLES = ALL_RESERVED_ROLES.entrySet()
             .stream()
             .filter(entry -> includes.contains(entry.getKey()))
-            .collect(Collectors.toUnmodifiableMap(Map.Entry::getKey, Map.Entry::getValue));
+            .collect(toUnmodifiableMap(Map.Entry::getKey, Map.Entry::getValue));
     }
 
     static RoleDescriptor.RemoteIndicesPrivileges getRemoteIndicesReadPrivileges(String indexPattern) {

x-pack/plugin/security/qa/security-basic/src/javaRestTest/java/org/elasticsearch/xpack/security/QueryRoleIT.java

@@ -50,14 +50,16 @@ public final class QueryRoleIT extends SecurityInBasicRestTestCase {
     private static final String READ_SECURITY_USER_AUTH_HEADER = "Basic cmVhZF9zZWN1cml0eV91c2VyOnJlYWQtc2VjdXJpdHktcGFzc3dvcmQ=";
 
     public void testSimpleQueryAllRoles() throws IOException {
+        // the index does not exist
         assertQuery("", 0, roles -> assertThat(roles, emptyIterable()));
-        RoleDescriptor createdRole = createRandomRole();
-        assertQuery("", 1, roles -> {
-            assertThat(roles, iterableWithSize(1));
-            assertRoleMap(roles.get(0), createdRole);
+        createRandomRole();
+        // 32 built-in reserved roles
+        assertQuery("", 1 + 32, roles -> {
+            // default size is 10
+            assertThat(roles, iterableWithSize(10));
         });
         assertQuery("""
-            {"query":{"match_all":{}},"from":1}""", 1, roles -> assertThat(roles, emptyIterable()));
+            {"query":{"match_all":{}},"from":33}""", 1 + 32, roles -> assertThat(roles, emptyIterable()));
     }
 
     public void testDisallowedFields() throws Exception {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -130,6 +130,7 @@
 import org.elasticsearch.xpack.core.security.action.ActionTypes;
 import org.elasticsearch.xpack.core.security.action.ClearSecurityCacheAction;
 import org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationAction;
+import org.elasticsearch.xpack.core.security.action.SetIndexMetadataPropertyAction;
 import org.elasticsearch.xpack.core.security.action.UpdateIndexMigrationVersionAction;
 import org.elasticsearch.xpack.core.security.action.apikey.BulkUpdateApiKeyAction;
 import org.elasticsearch.xpack.core.security.action.apikey.BulkUpdateApiKeyRequestTranslator;
@@ -782,6 +783,8 @@ Collection<Object> createComponents(
         // See Plugin#additionalSettings()
         this.settings = environment.settings();
 
+        final ReservedRolesStore reservedRolesStore = new ReservedRolesStore(Set.copyOf(INCLUDED_RESERVED_ROLES_SETTING.get(settings)));
+
         systemIndices.init(client, featureService, clusterService);
 
         this.securityMigrationExecutor.set(
@@ -915,7 +918,6 @@ Collection<Object> createComponents(
         );
         components.add(privilegeStore);
 
-        final ReservedRolesStore reservedRolesStore = new ReservedRolesStore(Set.copyOf(INCLUDED_RESERVED_ROLES_SETTING.get(settings)));
         dlsBitsetCache.set(new DocumentSubsetBitsetCache(settings, threadPool));
         final FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(settings);
 
@@ -1596,6 +1598,7 @@ public void onIndexModule(IndexModule module) {
             new ActionHandler<>(UpdateSecuritySettingsAction.INSTANCE, TransportUpdateSecuritySettingsAction.class),
             new ActionHandler<>(ActionTypes.RELOAD_REMOTE_CLUSTER_CREDENTIALS_ACTION, TransportReloadRemoteClusterCredentialsAction.class),
             new ActionHandler<>(UpdateIndexMigrationVersionAction.INSTANCE, UpdateIndexMigrationVersionAction.TransportAction.class),
+            new ActionHandler<>(SetIndexMetadataPropertyAction.INSTANCE, SetIndexMetadataPropertyAction.TransportAction.class),
             usageAction,
             infoAction
         ).filter(Objects::nonNull).toList();

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityIndexManager.java

@@ -136,7 +136,7 @@ private SecurityIndexManager(
      * should be reused for multiple checks in the same workflow.
      */
     public SecurityIndexManager defensiveCopy() {
-        return new SecurityIndexManager(null, null, systemIndexDescriptor, state, true);
+        return new SecurityIndexManager(null, client, systemIndexDescriptor, state, true);
     }
 
     public String aliasName() {