Minimal access to prevent enumerating objects

[jportner]

Reference: https://discuss.elastic.co/t/kibana-anonymous-access-how-do-you-prevent-listing-all-dashboards/296214/3

When an operator sets up Anonymous Access with minimal privileges to see dashboards, for example, it would be nice to be able to share public URLs without giving anonymous users the ability to enumerate all other dashboards on the system.

This isn't currently possible today. Granting Read access to the Dashboard feature allows you to use the navigation pane to view all dashboards in the current space, and it allows you to access the generic Saved Objects API to search/etc for dashboards and other saved objects that this feature gives access to (such as visualizations, lens, data views, etc.)

~A workaround would be to put a reverse proxy in front of Kibana that blocks URLs which would allow the user to enumerate dashboards.~ Edit: this won't work, you can't block the _find API entirely, because that is used by the data views service to fetch available index patterns...

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[legrego]

@jportner do you see this as a separate feature to OLS / "private objects"?

[jportner]

@jportner do you see this as a separate feature to OLS / "private objects"?

I think there is some overlap here but there are some separate concerns.

For example, if I open a Google Doc and get a "Public" link for that document, I understand that the anonymous users can only see that document with that link. They can't see all my other documents.

From an authorization standpoint, this feels like almost the inverse of "private objects". As in, the anonymous user should by default have access to zero objects in Kibana, and they should only be able to see what has been explicitly shared from the Public URL button (e.g., at that point, the dashboard should be accessible to the anonymous user, along with any referenced objects like visualizations, data views, etc.)

But this doesn't even touch on the enumeration aspect, which is interesting. The way this was described in the original Discuss post, object enumeration is the primary concern. As a user, I want to be able to generate multiple links to different objects, but I don't want anonymous users to be able to view other dashboards in that space (even if I've also generated public URLs for those dashboards!) This is not simple to solve at the API level -- for example, the data views plugin makes an API call to /api/saved_objects/_find index-pattern objects, so we can't just deny the _find privilege action for anonymous users.

[legrego]

Makes sense, thanks for explaining 👍. I agree there are some interesting challenges to solve here, especially around API access