Grant necessary Kibana application privileges to reporting_user role
#118058
Conversation
|
Hi @slobodanadamovic, I've created a changelog YAML for you. |
|
Pinging @elastic/es-security (Team:Security) |
| ); | ||
|
|
||
| final Set<String> allowedApplicationActionPatterns = Set.of( | ||
| "login:", |
There was a problem hiding this comment.
These are only test examples of allowed actions and are not ment to represent the accurate list of actions.
| "feature_visualize.minimal_read", | ||
| "feature_visualize.generate_report" | ||
| ) | ||
| .build() }, | ||
| null, | ||
| null, | ||
| MetadataUtils.getDeprecatedReservedMetadata("Please use Kibana feature privileges instead"), |
There was a problem hiding this comment.
Since we're adding this I assume this is no longer considered a deprecated role, so I think this can be removed?
There was a problem hiding this comment.
Looks like the description might be outdated? Since we're doing this we might want to update it.
There was a problem hiding this comment.
Since we're adding this I assume this is no longer considered a deprecated role, so I think this can be removed?
Good question!
@tsullivan Can correct me, but my understanding is that we still want to keep it deprecated, just to make sure it grants necessary application privileges. The preferred way should still be to create a custom role with the least app privileges.
Edit: I just saw this PR, which confirms that we should remove the deprecation warning (but would be nice to confirm):
assign the built-in reporting_user role the necessary Kibana application privileges, and make the role not marked as deprecated.
There was a problem hiding this comment.
I confirm that the Kibana team requests that we do remove the deprecated status of this role.
Removing the deprecated status will stop warning messages from being logged, which are not useful or meaningful to users.
Thank you very much!
There was a problem hiding this comment.
BTW
The preferred way should still be to create a custom role with the least app privileges.
I think this is accurate, as granting the least app privileges should be recommended. Also worth mentioning, the documentation page linked here is in need of some updates for 8.x. It should offer more clarity about what the xpack.reporting.roles.enabled setting actually does.
...core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
Show resolved
Hide resolved
Nice catch! Totally, we should update it. |
…-kibana-app-privileges-to-reporting-user
| access to the <<roles-indices-priv,indices>> that will be used to generate reports. | ||
| Grants the necessary privileges required to use {reporting} features in {kib}, | ||
| including generating and downloading reports. This role implicitly grants access | ||
| to the reporting indices, with each user having access only to their own reports. |
There was a problem hiding this comment.
| to the reporting indices, with each user having access only to their own reports. | |
| to all Kibana reporting features, with each user having access only to their own reports. |
| + "Reporting users should also be assigned additional roles that grant access to Kibana as well as read access " | ||
| + "to the indices that will be used to generate reports." | ||
| "Grants the necessary privileges required to use reporting features in Kibana, " | ||
| + "including generating and downloading reports. This role implicitly grants access to the reporting indices, " |
There was a problem hiding this comment.
| + "including generating and downloading reports. This role implicitly grants access to the reporting indices, " | |
| + "including generating and downloading reports. This role implicitly grants access to all Kibana reporting features, " |
Previously, Kibana was authorizing (and granting application privileges) to create reports, simply based on the
reporting_userrole name. This PR makes these application privileges explicitly granted to thereporting_userrole.