Closed konstantin-kornienko closed 2 years ago
Search works for superuser
Same search for generic user Please note that backend responds correctly, but results aren't presented.
Pinging @elastic/kibana-security (Team:Security)
Pinging @elastic/app-search-frontend (Team:AppSearch)
Pinging @elastic/workplace-search-frontend (Team:WorkplaceSearch)
This does not appear to be a Platform Security issue.
I'm not sure if this is an AppSearch concern or a WorkplaceSearch concern, but I added both labels.
Pinging @elastic/kibana-core (Team:Core)
I believe global search is a Core team feature
I believe global search is a Core team feature
This is right, removed the other team labels
Pinging @elastic/fleet (Team:Fleet)
Looks like search stops working after: core.entry.js:6 GET https://kibana/api/fleet/epm/packages?experimental=true 403 (Forbidden) "Access to Fleet API require the superuser role"
@elastic/fleet it seems the result provider you're registering
is throwing an error when a non-admin user is performing a search, as the endpoint it's calling required super-user role. This caused the GS service to stop returning results once the error is encountered.
On core side, we should definitely catch such per-provider errors, to avoid having a provider breaking the whole search mechanism
However, GS is meant to be usable by any user, and the results returned filtered by proper permission. You need modify your provider to return an empty result list when the other do not have the proper permission, either by doing an acl check client-side, or by catching 403 errors when calling your endpoint.
As a side note, as the results are fetched from the server, may I ask why you implemented a client-side result provider instead of a server-side one?
It's stated in the plugin's readme that when possible, a server-side provider should be favored
Results from providers registered from the client-side
registerResultProvider
API will not be available when performing a search from the server-side. For this reason, prefer registering providers using the server-side API when possible.
On core side, we should definitely catch such per-provider errors, to avoid having a provider breaking the whole search mechanism
+1. The core can provide a bug fix for the current issue and open a dedicated issue to improve Fleet provider logic.
Opened https://github.com/elastic/kibana/pull/111093 to swallow the provider errors, and created https://github.com/elastic/kibana/issues/111094 for fleet's integrations
provider fix.
Kibana version: 7.14.0
Elasticsearch version: 7.14.0
Server OS version: Ubuntu 18
Browser version: Chrome latest
Browser OS version: Windows 10
Original install method (e.g. download page, yum, from source, etc.): apt
Describe the bug: For regular users global search fails to find searches. Actually it works, but only once.
Steps to reproduce:
Expected behavior: Search should always work.
Screenshots (if relevant):
Errors in browser console (if relevant): Looks like search stops working after: core.entry.js:6 GET https://kibana/api/fleet/epm/packages?experimental=true 403 (Forbidden) "Access to Fleet API require the superuser role"