Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reporting custom logo does not work without direct access to .kibana index #26760

Closed
legrego opened this issue Dec 6, 2018 · 3 comments
Closed
Labels
bug Fixes for quality problems that affect the customer experience (Deprecated) Feature:Reporting Use Reporting:Screenshot, Reporting:CSV, or Reporting:Framework instead Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@legrego
Copy link
Member

legrego commented Dec 6, 2018

Kibana version: 6.5.0

Describe the bug:
Users without direct access to the .kibana index do not see the custom reporting logo. Instead, these users are falling back to the default reporting logo.

Root cause:
We retrieve the custom logo using the UI Settings service, which requires an instance of the Saved Objects Client. When constructing the Saved Objects Client, the security wrapper checks to see if the RBAC authorization mode should be used, or if the legacy authorization mode should be used. This check relies on the auth mode being initialized.

Since the "request" used to retrieve the custom logo is fake, it never has a chance to initialize, so the authorization mode is always set to legacy. Since the user does not have direct access to the .kibana index, the legacy auth fails when we try to retrieve the custom logo.

Steps to reproduce:

  1. Create a space, and assign a custom pdf logo in that space's advanced settings.
  2. Create role with access to the space created in step 1. Do not grant access to the .kibana index.
  3. Create user, and assign role created in step 2 along with the reporting_user role.
  4. Login as this user, and generate a PDF report

Expected behavior:
The generated report should include the custom logo created in step 1 above, instead of the default pdf logo.

Any additional context:
Reported via https://discuss.elastic.co/t/x-pack-kibana-user-role-conflicting-with-spaces-permissions/159676

@legrego legrego added bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! (Deprecated) Feature:Reporting Use Reporting:Screenshot, Reporting:CSV, or Reporting:Framework instead labels Dec 6, 2018
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security

@legrego
Copy link
Member Author

legrego commented Dec 6, 2018

Note: a similar problem happens with CSV reports as well -- custom values for csv:quoteValues and csv:separator are not respected without direct access to the .kibana index.

@legrego
Copy link
Member Author

legrego commented Dec 10, 2018

Fix will be available starting with v6.5.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience (Deprecated) Feature:Reporting Use Reporting:Screenshot, Reporting:CSV, or Reporting:Framework instead Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Development

No branches or pull requests

2 participants