elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.6k stars 8.21k forks source link

Support failure store authorization in Kibana #198244

Open bitzandeb opened 2 days ago

bitzandeb commented 2 days ago

See ES PR #114992

To support users gaining access to the failed document store via Discover, Kibana will need to recognize selectors as a part of authorization.

As well, the roles management UI should be updated to include the option to grant roles access to indices' associated failed documents.

Image

When failure store access has been granted as a part of role configuration, a callout should notify users about the nature of failure store access.

Image

elasticmachine commented 2 days ago

Pinging @elastic/kibana-security (Team:Security)

legrego commented 2 days ago

@bitzandeb thanks for raising this.

If I understand the ES proposal correctly, we need to be able to model the following states:

  1. Index privileges which only grant access to the data store
    { selectors: { data: true, failure: false } }
  2. Index privileges which only grant access to the failure store
    { selectors: { data: false, failure: true } }
  3. Index privileges which grant access to both the data and failure store.
    { selectors: { data: true, failure: true } }

The logical 4th state is Index privileges which do not grant access to either the data or failure store, but I hope the ES APIs will disallow that scenario.

{ selectors: { data: false, failure: false } }

We can satisfy state 1 by leaving the slider unselected.

Depending on how we treat the selected state of the slider, I think we can model either state 2 or 3, but I don't see how we can support both with the proposed UI.

bytebilly commented 2 days ago

We just had some additional discussion about the failure store security model and it may be slightly different in the way roles manage its privileges. I'll loop you into the conversation to make sure you have the latest news.