search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.63k stars 8.22k forks source link

[Exploratory View] User with no permissions on Heartbeat indices triggers infinite request loop #123051

Open justinkambic opened 2 years ago

justinkambic commented 2 years ago

Kibana version:

8.1

Elasticsearch version:

8.1

Server OS version:

macOS

Browser version:

Chrome 97

Browser OS version:

macOS

Original install method (e.g. download page, yum, from source, etc.):

from source

Describe the bug:

When a user with read access to observability (but no heartbeat ES permissions) attempts to view data in Exploratory View, they see an infinite request loop.

Steps to reproduce:

  1. Create a user and assign them a role with read-all Kibana privileges. Do not grant them any ES-level permissions.
  2. Run Heartbeat to index some Uptime data.
  3. As your test user, log in and navigate to the Uptime app.
  4. Click the "Explore data" link in the header.
  5. Observe that the Exploratory View is unusable.

Expected behavior:

There should be a simple error message, informing the user that they don't have permission to view this page and it's a no-op.

Screenshots (if relevant):

Permissions for test user:

No ES permissions: image

Kibana permissions (read everything is fine): image

Animation of what exp. view does for test user:

20220114093450

Provide logs and/or server output (if relevant):

Error example from server output:

[2022-01-14T09:31:23.880-05:00][ERROR][http] ResponseError: security_exception: [security_exception] Reason: action [indices:data/read/search] is unauthorized for user [test-user] with roles [test-role], this action is granted by the index privileges [read,all]
    at KibanaTransport.request (~/kibana/node_modules/@elastic/transport/src/Transport.ts:517:17)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Client.CountApi [as count] (~/kibana/node_modules/@elastic/elasticsearch/src/api/api/count.ts:79:10)
    at Object.count (~/kibana/x-pack/plugins/uptime/server/lib/lib.ts:120:15)
    at Object.getIndexStatus (~/kibana/x-pack/plugins/uptime/server/lib/requests/get_index_status.ts:22:7)
    at handler (~/kibana/x-pack/plugins/uptime/server/rest_api/index_state/get_index_status.ts:17:12)
    at handler (~/kibana/x-pack/plugins/uptime/server/rest_api/uptime_route_wrapper.ts:49:17)
    at Router.handle (~/kibana/src/core/server/http/router/router.ts:275:30)
    at handler (~/kibana/src/core/server/http/router/router.ts:230:13)
    at exports.Manager.execute (~/kibana/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
    at Object.internals.handler (~/kibana/node_modules/@hapi/hapi/lib/handler.js:46:20)
    at exports.execute (~/kibana/node_modules/@hapi/hapi/lib/handler.js:31:20)
    at Request._lifecycle (~/kibana/node_modules/@hapi/hapi/lib/request.js:371:32)
    at Request._execute (~/kibana/node_modules/@hapi/hapi/lib/request.js:281:9)

Any additional context:

elasticmachine commented 2 years ago

Pinging @elastic/uptime (Team:uptime)