RCS 2.0 Role Management enhancements

legrego commented 1 week ago

A few followup enhancements to the role management screen to better support RCS 2.0. Here's a video of the current implementation, as implemented via https://github.com/elastic/kibana/issues/182035 / https://github.com/elastic/kibana/pull/182377

https://github.com/elastic/kibana/assets/165678770/d3cf8b9c-e83d-4ace-ba2e-f8e028977f2d

I propose:

Switching the order of Remote Index Privileges and Remote Cluster Privileges, to be more consistent with the local Cluster and Index privileges.
Change the description of Remove Cluster Privileges to align with the phrasing used for local cluster privileges: Control access to the data in remote clusters should read Manage the actions this role can perform in remote clusters
Update the remote cluster privilege dropdown to use the values provided by Elasticsearch, once available.

elasticmachine commented 1 week ago

Pinging @elastic/kibana-security (Team:Security)

legrego commented 5 days ago

Heya @MichaelMarcialis, we could use your expertise on some design options for remote cluster privileges. The Role Management interface will support the new remote cluster and remote index privileges, in order to enable the new security model for CCR/CCS: https://www.elastic.co/guide/en/elasticsearch/reference/master/remote-clusters-api-key.html#remote-clusters-privileges-api-key.

To support this, we've added a new set of input fields to allow adding multiple remote cluster privileges, and multiple remote index privileges:

Larry Gregory 2024-05-14 at 14 23 03

I apologize for not involving you sooner. The request to add each of these came to us at separate times, and individually we didn't feel they required design input given their relative simplicity.

We were discussing some options as a team, and wanted to get your thoughts:

Option 1: Leave as-is

Leave the input fields as shown in the screenshot.

Option 2: Swap order of fields

Switch the order of Remote Index and Remote Cluster inputs, so that it is consistent with the traditional cluster and index privileges. There are a few orders we could consider

Current Ordering:

Cluster
Run As
Index
Remote Index
Remote Cluster

Proposed Ordering A (swap remote cluster/remote index):

Cluster
Run As
Index
Remote Cluster
Remote Index

Proposed Ordering B (group cluster together; group index together):

Cluster
Remote Cluster
Run As
Index
Remote Index

The team tended to favor A over B.

Option 3: New Section

The new remote privileges reside within the Elasticsearch panel of the form. We could add a new top-level panel for remote privileges.

Current Layout:

Elasticsearch |- Cluster |- Run As |- Index |- Remote Index |- Remote Cluster
Kibana

Proposed Layout:

Elasticsearch |- Cluster |- Run As |- Index
Remote Elasticsearch |- Remote Cluster |- Remote Index
Kibana

Option 4: Your idea here

Feel free to suggest something else we haven't considered.

I am more than happy to discuss over zoom if that would be helpful. I wrote this all out to consolidate & record our other discussions.

elastic / kibana