Open bitzandeb opened 3 weeks ago
Pinging @elastic/kibana-security (Team:Security)
@bitzandeb thanks for raising this.
If I understand the ES proposal correctly, we need to be able to model the following states:
data
store
{ selectors: { data: true, failure: false } }
failure
store
{ selectors: { data: false, failure: true } }
data
and failure
store.
{ selectors: { data: true, failure: true } }
The logical 4th state is Index privileges which do not grant access to either the data
or failure
store, but I hope the ES APIs will disallow that scenario.
{ selectors: { data: false, failure: false } }
We can satisfy state 1 by leaving the slider unselected.
Depending on how we treat the selected state of the slider, I think we can model either state 2 or 3, but I don't see how we can support both with the proposed UI.
We just had some additional discussion about the failure store security model and it may be slightly different in the way roles manage its privileges. I'll loop you into the conversation to make sure you have the latest news.
See ES PR #114992
To support users gaining access to the failed document store via Discover, Kibana will need to recognize selectors as a part of authorization.
As well, the roles management UI should be updated to include the option to grant roles access to indices' associated failed documents.
When failure store access has been granted as a part of role configuration, a callout should notify users about the nature of failure store access.