search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.71k stars 8.13k forks source link

[Management] Stack Management link shows when user has insufficient permissions #163180

Open alisonelizabeth opened 1 year ago

alisonelizabeth commented 1 year ago

Kibana version: 8.9.0

Describe the bug: The "Stack Management" link shows on the home page when the user does not have sufficient privileges to view the UIs under Stack Management.

Steps to reproduce:

  1. Set up a new Kibana space
  2. Create a new role
  3. Add the Kibana Dev Tools read privilege to the role
  4. Create a new user
  5. Assign role to thew user
  6. Login with user

Expected behavior: Only the Dev Tools tile/links should show.

Screenshots (if relevant):

Screenshot 2023-08-04 at 11 04 57 AM

URL/error message when clicking from the home page

Screenshot 2023-08-04 at 11 05 50 AM

I would actually expect the link to go here (or not show at all)

Screenshot 2023-08-04 at 11 05 41 AM

Any additional context: Looks like this logic was originally added via https://github.com/elastic/kibana/pull/108580.

After a quick investigation, it looks like iapplication.capabilities.navLinks.management returns true, which is unexpected. However, if you log application.capabilities.mangement, all plugins are marked as false (disabled).

Another interesting piece, is the actual link is wrong from the home page. If I go to the correct management link, I see the expected error message.

elasticmachine commented 1 year ago

Pinging @elastic/platform-deployment-management (Team:Deployment Management)

cleydyr commented 1 year ago

The logic behind allowing the Management item is that it's enabled if at least one of its subitems is enabled. In this case, DevTools is enabled. That's why I couldn't figure out if the problem is the link that doesn't open or if enabling it if at least one item is enabled is the correct logic.

alisonelizabeth commented 1 year ago

That's why I couldn't figure out if the problem is the link that doesn't open or if enabling it if at least one item is enabled is the correct logic.

I think we need to investigate this further. While Dev Tools is under "Management", it isn't under Stack Management, so I wouldn't expect us to render the link. The other behavior I noticed is that the link in itself is wrong - it's /s/dev_tools/app/mangement when I would expect it to go to /app/management (possibly a non-issue if we're able to hide it).

cleydyr commented 1 year ago

Please notice that the behavior is the same on the left sidebar: if you have at least one item under Management (like Dev Tools), the Management item itself is clickable and will take you to the Stack Management home page. The Stack Management subitem doesn't have to appear under the Management item either.

elasticmachine commented 5 hours ago

Pinging @elastic/kibana-management (Team:Kibana Management)