Add auditor role; update analyst role with correct syntax

salt/common/tools/sbin/so-elasticsearch-roles-load

@@ -51,7 +51,7 @@ cd ${ELASTICSEARCH_ROLES}
 echo "Loading templates..."
 for role in *; do
 	name=$(echo "$role" | cut -d. -f1)
-	so-elasticsearch-query security/roles/$name -XPUT -d @"$role"
+	so-elasticsearch-query _security/role/$name -XPUT -d @"$role"
 done
 
 cd - >/dev/null

salt/elasticsearch/roles/analyst.json

@@ -1,5 +1,4 @@
 {
-  "elasticsearch": {
   "cluster": [
     "cancel_task",
     "create_snapshot",
@@ -22,6 +21,7 @@
         "so-*"
       ],
       "privileges": [
+        "index",
         "read",
         "read_cross_cluster",
         "monitor",
@@ -29,17 +29,34 @@
       ]
     }
   ],
-    "run_as": []
+  "applications": [
-  },
-  "kibana": [
     {
-      "spaces": [
+      "application": "kibana-.kibana",
+      "privileges": [
+        "feature_discover.all",
+        "feature_dashboard.all",
+        "feature_canvas.all",
+        "feature_maps.all",
+        "feature_ml.all",
+        "feature_logs.read",
+        "feature_visualize.all",
+        "feature_infrastructure.read",
+        "feature_apm.read",
+        "feature_uptime.read",
+        "feature_siem.read",
+        "feature_dev_tools.read",
+        "feature_advancedSettings.read",
+        "feature_indexPatterns.read",
+        "feature_savedObjectsManagement.read",
+        "feature_savedObjectsTagging.read",
+        "feature_fleet.all",
+        "feature_actions.read",
+        "feature_stackAlerts.read"
+      ],
+      "resources": [
         "*"
-      ],
-      "base": [
-        "read"
-      ],
-      "feature": {}
-    }
       ]
+    }
+  ],
+  "run_as": []
 }