Rollover action fails when user has index privilege only on alias

[bizybot]

Elasticsearch version (bin/elasticsearch --version): 6.6.2

Description of the problem including expected versus actual behavior:
Rollover action fails with unauthorized access when the user does
not have access to concrete index but only to alias.

In TransportRolloverAction before doing rollover we resolve
source index name (write index) from the alias in the rollover request..
Before evaluating the conditions and executing rollover action, we
retrieve stats, but to do so we used the source index name
resolved from the alias instead of what is in the request.

elasticsearch/server/src/main/java/org/elasticsearch/action/admin/indices/rollover/TransportRolloverAction.java

Lines 111 to 123 in fcc7158

	final AliasOrIndex.Alias alias = (AliasOrIndex.Alias) metaData.getAliasAndIndexLookup().get(rolloverRequest.getAlias());
	final IndexMetaData indexMetaData = alias.getWriteIndex();
	final boolean explicitWriteIndex = Boolean.TRUE.equals(indexMetaData.getAliases().get(alias.getAliasName()).writeIndex());
	final String sourceProvidedName = indexMetaData.getSettings().get(IndexMetaData.SETTING_INDEX_PROVIDED_NAME,
	indexMetaData.getIndex().getName());
	final String sourceIndexName = indexMetaData.getIndex().getName();
	final String unresolvedName = (rolloverRequest.getNewIndexName() != null)
	? rolloverRequest.getNewIndexName()
	: generateRolloverIndexName(sourceProvidedName, indexNameExpressionResolver);
	final String rolloverIndexName = indexNameExpressionResolver.resolveDateMathExpression(unresolvedName);
	MetaDataCreateIndexService.validateIndexName(rolloverIndexName, state); // will fail if the index already exists
	checkNoDuplicatedAliasInIndexTemplate(metaData, rolloverIndexName, rolloverRequest.getAlias());
	client.admin().indices().prepareStats(sourceIndexName).clear().setDocs(true).execute(

Expected behavior:
The rollover action should succeed.

Actual behavior:
Fails with

action [indices:monitor/stats] is unauthorized for user [ufoo]

Steps to reproduce:

• Create an index with alias

PUT /foo-index-00001 '{ "aliases" : { "foo_alias" : {} } }'

• Create a user with a role

PUT /_xpack/security/user/ufoo '{ "password": "foobar", "roles" : [ "foo_role" ]  }'

PUT /_xpack/security/role/foo_role '{ "cluster": [ "all" ], "indices": [ { "names": ["foo_alias"], "privileges": ["all"] } ] }'

• Index some documents using created user (ufoo)

POST /foo_alias/_doc '{ "field" : "foo" }'
POST /foo_alias/_doc '{ "field" : "foo" }'

• try rollover

POST /foo_alias/_rollover '{ "conditions": { "max_docs": 1 } }'

[elasticmachine]

Pinging @elastic/es-core-features

[elasticmachine]

Pinging @elastic/es-security