elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.59k stars 8.21k forks source link

Serverless Search Solution - users with insufficient privileges can access API key creation flyout #178785

Open jeramysoucy opened 7 months ago

jeramysoucy commented 7 months ago

Kibana version: Serverless Search Solution

Describe the bug: A user without any API key privileges can still access the createAPI key flyout via the home landing page in the "Add an API key" section. This is not currently an issue, as all predefined roles grant access to API keys. However, once custom roles are available, roles without any API key privileges will be possible.

Steps to reproduce:

  1. Add a role without any API key privileges to the roles.yml file Example:
    tester:
    cluster: ['read_pipeline']
    indices:
    - names:
        - '*'
      privileges:
        - 'read'
        - 'view_index_metadata'
    applications:
    - application: 'kibana-.kibana'
      privileges:
        - 'read'
      resources:
        - '*'
  2. Start ES and Kibana in serverless es mode using the --ssl flag
  3. Log in as a test user with the role defined in step 1
  4. Navigate to the home page and click the New button in the "Add an API key" section
  5. Give the API key a name and click the Create API Key button

Expected behavior: The "Add an API key" section of the landing page should not be displayed to a user with no API key privileges.

Screenshots (if relevant):

Screenshot 2024-03-14 at 6 57 58 PM

Provide logs and/or server output (if relevant):

[2024-03-14T19:08:38.761-04:00][ERROR][plugins.security.authentication.api-key] Failed to create API key: security_exception
        Root causes:
                security_exception: action [cluster:admin/xpack/security/api_key/create] is unauthorized for user [test_user] with effective roles [tester], this action is granted by the cluster privileges [manage_own_api_key,manage_api_key,manage_security,all]
[2024-03-14T19:08:38.761-04:00][ERROR][http] 500 Server Error
jeramysoucy commented 5 months ago

cc @sphilipse

sphilipse commented 5 months ago

Thanks for the report @jeramysoucy

sphilipse commented 1 week ago

This should be resolved

jeramysoucy commented 6 days ago

Thanks @sphilipse. I checked, and it looks like the landing page is completely new - it no longer has an API key section. I was also unable to access the API key flyout from management when logged in as a user without API key privileges. 👍

Which PR resolved this issue? I'd like to link it before I close this.