search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.7k stars 8.12k forks source link

Permission problem "*" vs "all" - Kibana report generation #170003

Open 3kt opened 10 months ago

3kt commented 10 months ago

Kibana version: 8.10.4

Elasticsearch version: 8.10.4

Server OS version: Ubuntu 20.04

Browser version: Brave 1.59.122

Browser OS version: MacOs Ventura 13.6

Original install method (e.g. download page, yum, from source, etc.): apt-get

Describe the bug:

The permissions listed in the documentation do not allow the generation of pdf reports with watcher. More precisely, the all permission on Kibana scope isn't enough, and * permission is required instead.

Steps to reproduce:

  1. Follow the documentation steps for reporting configuration and watcher automation configuration
  2. Manually run the watcher (POST /_watcher/watch/[watcher_id]/_execute), you will be greeted with a permission error:

image

  1. Extending the permissions to all on Kibana will not solve the issue:

    "applications": [
{
  "application": "kibana-.kibana",
  "privileges": [
    "all"
  ],
  "resources": [
    "*"
  ]
}
],

  2. However, granting * permission on Kibana will:

  "applications": [
    {
      "application": "kibana-.kibana",
      "privileges": [
        "*"
      ],
      "resources": [
        "*"
      ]
    }
  ],
image

Expected behavior: documentation should accurately list the required permissions, and all privilege should grant report generation permission.

Screenshots (if relevant): inline in steps description

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context:

This has multiple layers to it:

  1. Documentation seems to be wrong / out of date
  2. Why does * permission grant accesses that all doesn't?
elasticmachine commented 10 months ago

Pinging @elastic/appex-sharedux (Team:SharedUX)

TheRiffRafi commented 9 months ago

Hello @3kt could you help us with some clarification on your reported config? Did you set the following option on the kibana.yml file before trying to access reporting with "All" privilege?

xpack.reporting.roles.enabled: false

It is the first config shown on the documentation you linked. I tried to reproduce the issue and I was seeing the same issue but I realized I hadn't set that Kibana option.

3kt commented 9 months ago

@TheRiffRafi Unfortunately I don't have access to the configuration anymore, as this was deployed by a customer...