elasticmachine
commented
2 days ago Pinging @elastic/kibana-security (Team:Security)
Open bitzandeb opened 2 days ago
elasticmachine
commented
2 days ago Pinging @elastic/kibana-security (Team:Security)
legrego
commented
2 days ago @bitzandeb thanks for raising this.
If I understand the ES proposal correctly, we need to be able to model the following states:
data store
{ selectors: { data: true, failure: false } }failure store
{ selectors: { data: false, failure: true } }data and failure store.
{ selectors: { data: true, failure: true } }The logical 4th state is Index privileges which do not grant access to either the data or failure store, but I hope the ES APIs will disallow that scenario.
{ selectors: { data: false, failure: false } }We can satisfy state 1 by leaving the slider unselected.
Depending on how we treat the selected state of the slider, I think we can model either state 2 or 3, but I don't see how we can support both with the proposed UI.
bytebilly
commented
2 days ago We just had some additional discussion about the failure store security model and it may be slightly different in the way roles manage its privileges. I'll loop you into the conversation to make sure you have the latest news.
See ES PR #114992
To support users gaining access to the failed document store via Discover, Kibana will need to recognize selectors as a part of authorization.
As well, the roles management UI should be updated to include the option to grant roles access to indices' associated failed documents.
When failure store access has been granted as a part of role configuration, a callout should notify users about the nature of failure store access.