Reporting custom logo does not work without direct access to .kibana
index
#26760
Labels
bug
Fixes for quality problems that affect the customer experience
(Deprecated) Feature:Reporting
Use Reporting:Screenshot, Reporting:CSV, or Reporting:Framework instead
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Kibana version: 6.5.0
Describe the bug:
Users without direct access to the
.kibana
index do not see the custom reporting logo. Instead, these users are falling back to the default reporting logo.Root cause:
We retrieve the custom logo using the UI Settings service, which requires an instance of the Saved Objects Client. When constructing the Saved Objects Client, the security wrapper checks to see if the RBAC authorization mode should be used, or if the legacy authorization mode should be used. This check relies on the auth mode being initialized.
Since the "request" used to retrieve the custom logo is fake, it never has a chance to initialize, so the authorization mode is always set to legacy. Since the user does not have direct access to the
.kibana
index, the legacy auth fails when we try to retrieve the custom logo.Steps to reproduce:
.kibana
index.reporting_user
role.Expected behavior:
The generated report should include the custom logo created in step 1 above, instead of the default pdf logo.
Any additional context:
Reported via https://discuss.elastic.co/t/x-pack-kibana-user-role-conflicting-with-spaces-permissions/159676
The text was updated successfully, but these errors were encountered: