search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.62k stars 8.22k forks source link

[UX Dashboard] APM `viewer` role cannot access UX Dashboard #136855

Open justinkambic opened 2 years ago

justinkambic commented 2 years ago

Kibana version: latest

Elasticsearch version: latest

Server OS version: macOS

Browser version: Chrome 103

Browser OS version: macOS Monterey

Original install method (e.g. download page, yum, from source, etc.): from source

Describe the bug: The viewer role cannot access the UX Dashboard

Steps to reproduce:

  1. Create a viewer user. Run the create_apm_user --username {USERNAME} --password {PASSWORD} --kibana-url {KIBANA_URL}
  2. Log in as the viewer user.
  3. Attempt to open the UX Dashboard

Expected behavior: The dashboard should be viewable

Screenshots (if relevant):

image

Errors in browser console (if relevant):

Error: EsError: action [internal:transport/proxy/indices:data/read/search[phase/query]] is unauthorized for user [viewer] with roles [viewer], this action is granted by the index privileges [read_cross_cluster,all]
    at SearchInterceptor.handleSearchError (search_interceptor.ts:161:1)
    at search_interceptor.ts:348:1
    at catchError.js:10:1
    at OperatorSubscriber._this._error (OperatorSubscriber.js:25:1)
    at Subscriber.error (Subscriber.js:43:1)
    at Subject.js:63:1
    at errorContext (errorContext.js:19:1)
    at Subject.error (Subject.js:56:1)
    at Object.error (share.js:51:1)
    at ConsumerObserver.error (Subscriber.js:107:1)

Provide logs and/or server output (if relevant):

[2022-07-21T11:38:15.474-04:00][WARN ][plugins.security.api-authorization] User not authorized for "/api/exception_lists": responding with 403                                                                                                                                                
[2022-07-21T11:38:24.342-04:00][ERROR][plugins.apm] Error: Unable to create index-pattern                                                                                                                                                                                                     
    at SecureSavedObjectsClientWrapper.legacyEnsureAuthorized (/Users/jk/git/justinkambic/kibana/x-pack/plugins/security/server/saved_objects/secure_saved_objects_client_wrapper.ts:956:48)                                                                                                  
    at runMicrotasks (<anonymous>)                                                                                                                                                                                                                                                            
    at processTicksAndRejections (node:internal/process/task_queues:96:5)                                                                                                                                                                                                                     
    at SecureSavedObjectsClientWrapper.create (/Users/jk/git/justinkambic/kibana/x-pack/plugins/security/server/saved_objects/secure_saved_objects_client_wrapper.ts:116:7)                                                                                                                   
    at SpacesSavedObjectsClient.create (/Users/jk/git/justinkambic/kibana/x-pack/plugins/spaces/server/saved_objects/spaces_saved_objects_client.ts:115:12)                                                                                                                                   
    at SavedObjectsClientServerToCommon.create (/Users/jk/git/justinkambic/kibana/src/plugins/data_views/server/saved_objects_client_wrapper.ts:38:12)                                                                                                                                        
    at DataViewsService.createSavedObject (/Users/jk/git/justinkambic/kibana/src/plugins/data_views/common/data_views/data_views.ts:854:56)                                                                                                                                                   
    at DataViewsService.createAndSave (/Users/jk/git/justinkambic/kibana/src/plugins/data_views/common/data_views/data_views.ts:828:33)                                                                                                                                                       
    at /Users/jk/git/justinkambic/kibana/x-pack/plugins/apm/server/routes/data_view/create_static_data_view.ts:55:26                                                                                                                                                                          
    at spaces (/Users/jk/git/justinkambic/kibana/x-pack/plugins/apm/server/routes/data_view/create_static_data_view.ts:54:14)                                                                                                                                                                 
    at handler (/Users/jk/git/justinkambic/kibana/x-pack/plugins/apm/server/routes/data_view/route.ts:36:21)                                                                                                                                                                                  
    at /Users/jk/git/justinkambic/kibana/x-pack/plugins/apm/server/routes/apm_routes/register_apm_server_routes.ts:101:37                                                                                                                                                                     
    at Router.handle (/Users/jk/git/justinkambic/kibana/node_modules/@kbn/core-http-router-server-internal/target_node/router.js:163:30)                                                                                                                                                      
    at handler (/Users/jk/git/justinkambic/kibana/node_modules/@kbn/core-http-router-server-internal/target_node/router.js:124:50)                                                                                                                                                            
    at exports.Manager.execute (/Users/jk/git/justinkambic/kibana/node_modules/@hapi/hapi/lib/toolkit.js:60:28)                                                                                                                                                                               
    at Object.internals.handler (/Users/jk/git/justinkambic/kibana/node_modules/@hapi/hapi/lib/handler.js:46:20)                                                                                                                                                                              
    at exports.execute (/Users/jk/git/justinkambic/kibana/node_modules/@hapi/hapi/lib/handler.js:31:20)                                                                                                                                                                                       
    at Request._lifecycle (/Users/jk/git/justinkambic/kibana/node_modules/@hapi/hapi/lib/request.js:371:32)                                                                                                                                                                                   
    at Request._execute (/Users/jk/git/justinkambic/kibana/node_modules/@hapi/hapi/lib/request.js:281:9)

Any additional context:

elasticmachine commented 2 years ago

Pinging @elastic/uptime (Team:uptime)