Open legrego opened 4 years ago
Pinging @elastic/kibana-security (Team:Security)
a) Paid authentication providers (SAML, OIDC, Kerberos, PKI). It might suffice to rely on Elasticsearch for this check, although a better UX would be to mark them as disabled in the access agreement UI. See also #60337, #34592
That's a good idea (assuming you meant access agreement UI
---> login selector UI
)! And we also should figure out a way to display something like this when Login Selector isn't enabled (e.g. when users have just SAML and don't need login selector).
That's a good idea (assuming you meant
access agreement UI
--->login selector UI
)!
Yup, good catch. I updated the original description 😄
And we also should figure out a way to display something like this when Login Selector isn't enabled (e.g. when users have just SAML and don't need login selector).
Yes that's a great call!
Many of our security features are available for free under Elastic's Basic License, but some of the more complex or esoteric features are only available under a paid license.
We have historically been lenient at best, and inconsistent at worst when licenses expire. We should research and remediate any shortcomings we have with respect to license enforcement. Specifically:
1) When a license expires, ensure that all features licensed under our Basic (free) tier continue to function without restrictions. a) User Management b) Role Management, without sub-feature privileges c) Authentication via our
basic
andtoken
auth providers 2) When a license expires, ensure that all paid features stop working. This includes, but is not limited to the following: a) Paid authentication providers (SAML, OIDC, Kerberos, PKI). It might suffice to rely on Elasticsearch for this check, although a better UX would be to mark them as disabled in the ~access agreement~ login selector UI. See also https://github.com/elastic/kibana/issues/60337, https://github.com/elastic/kibana/issues/34592 b) Access Agreement UI: should no longer be part of the login flow c) Sub-feature privileges: should no longer be configurable. I believe this is already resolved, just mentioning it for completeness d) Role Mappings UI: should no longer be visible under the Stack Management application. I believe this is already resolved, just mentioning it for completeness