require read_cross_cluster (instead of indices:data/read/esql) local …

…privs when only reading xCluster

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java

@@ -85,7 +85,9 @@ public final class IndexPrivilege extends Privilege {
         "internal:transport/proxy/indices:data/read/*",
         ClusterSearchShardsAction.NAME,
         TransportSearchShardsAction.TYPE.name(),
-        TransportResolveClusterAction.NAME
+        TransportResolveClusterAction.NAME,
+        "indices:data/read/esql",
+        "indices:data/read/esql/compute"
     );
     private static final Automaton CREATE_AUTOMATON = patterns(
         "indices:data/write/index*",

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityEsqlIT.java

@@ -394,9 +394,6 @@ public void testCrossClusterQueryAgainstInvalidRemote() throws Exception {
     }
 
     @SuppressWarnings("unchecked")
-    @AwaitsFix(bugUrl = "cross-clusters search should not require local index permissions")
-    // will work if you add change "indices": [] to : "indices": [ { "names": [""], "privileges": ["indices:data/read/esql"] } ]
-    // however that should not be required to executed search across clusters
     public void testCrossClusterQueryWithOnlyRemotePrivs() throws Exception {
         configureRemoteCluster();
         populateData();
@@ -406,7 +403,7 @@ public void testCrossClusterQueryWithOnlyRemotePrivs() throws Exception {
 
         putRoleRequest.setJsonEntity("""
             {
-              "indices": [],
+              "indices": [{"names": [""], "privileges": ["read_cross_cluster"]}],
               "remote_indices": [
                 {
                   "names": ["employees"],