elasticmachine
commented
3 years ago Pinging @elastic/es-ui (Team:Elasticsearch UI)
Open alisonelizabeth opened 3 years ago
elasticmachine
commented
3 years ago Pinging @elastic/es-ui (Team:Elasticsearch UI)
elasticmachine
commented
2 weeks ago Pinging @elastic/kibana-management (Team:Kibana Management)
Problem
A majority of our apps do not have fine-grained privilege controls. For example, a user might only have a read privilege for an application, but create/update/delete actions would still display in the UI. A user could attempt to perform an action, but ultimately get back a 403 response from Elasticsearch. It is poor UX to present an action to a user that they ultimately do not have permissions for. It also leads to an unnecessary HTTP request; if we know the permissions up front, we can hide any actions that are not permissible and not allow the request to proceed.
On the flip side, sometimes we have defined “required” privileges in an app when in fact not all are required to use parts of the application. For example, Ingest Node Pipelines currently requires
manage_ingest_pipelinesandcluster:monitor/nodes/infocluster privileges. However,cluster:monitor/nodes/infois only necessary to create or update a pipeline (https://github.com/elastic/kibana/pull/63850#issuecomment-617697036). We should not block a user from viewing the list of pipelines in the UI in this scenario.More holistically speaking, we have not done a great job at testing our existing privileges support, and some apps are not even accounting for privileges. For example, CCR requires an unnecessary privilege (https://github.com/elastic/kibana/issues/76690), while composable (v2) templates does not check for privileges though it requires the
manage_index_templatesprivilege. Some apps are also using a one-off approach and not utilizing the shared authorization library. See more details below.What we currently support
There is existing support for privileges to an extent:
es_ui_sharedthat provides a common way to fetch privileges and display a "not authorized" prompt (https://github.com/elastic/kibana/pull/40150, https://github.com/elastic/kibana/pull/63947)Proposal
Move to a more uniform and granular approach to prevent user actions in the UI when permissions aren't valid. We should not show actions in the UI that a user does not have permission to execute on, and we should not block the entire UI if the user only has read privileges. We should build upon the existing authorization library so apps follow a consistent approach.
As part of this work, we could also consider rendering a callout that indicates certain tasks that are not allowed in the UI due to missing privileges.
Rough example:
** Should consider if this approach is too obtrusive, or, at the least, add the ability to hide or collapse the callout.
As part of this effort, we will first need to do an audit of our existing apps in order to determine the proper privileges, as well as make an assessment whether it's worth the effort to invest in all of our apps, or if some should take precedence over others. Updating the documentation to reflect security restraints should also be included as part of this work.
Related issues
There are a number of related issues open that should be addressed as part of this work.