Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Maps] Appropriately handle data access in UI #30310

Closed
alexfrancoeur opened this issue Feb 6, 2019 · 7 comments
Closed

[Maps] Appropriately handle data access in UI #30310

alexfrancoeur opened this issue Feb 6, 2019 · 7 comments
Labels
[Deprecated-Use Team:Presentation]Team:Geo Former Team Label for Geo Team. Now use Team:Presentation Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@alexfrancoeur
Copy link

alexfrancoeur commented Feb 6, 2019
edited
Loading

It seems we're exposing sensitive information to users that do not have access to the data. I'm testing this on a recent 6.7 Cloud staging snapshot. When defining a role that only has access to the kibana_sample_data_ecommerce index I'm able to see fields within the the kibana_sample_data_flights index. I would imagine this is sensitive information as it provides insight into the structure of the document. Below you'll find a screenshot of the role defined and the data we're showing in maps.

eCommerce / Maps space role for a user:

image

Flight Sample Data Map:

image

image

Separately, when landing on this view without access to the data, it looks as if it's just an empty map or there was an error loading the data. With Kibana visualizations we show a "no data" error. I feel like we somehow need to communicate that either data is not loaded or that the user does not have access to the data that's driving the map and/or layers
@alexfrancoeur alexfrancoeur added bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! [Deprecated-Use Team:Presentation]Team:Geo Former Team Label for Geo Team. Now use Team:Presentation labels Feb 6, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security

@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-gis

@alexfrancoeur
Copy link
Author

I'm not sure what the experience is normally for showing index patterns if you don't have access to the underlying data, but we are showing all three as well.

image

@nreese
Copy link
Contributor

nreese commented Feb 6, 2019

I'm not sure what the experience is normally for showing index patterns if you don't have access to the underlying data, but we are showing all three as well

@alexfrancoeur We are just using the IndexPattern service. Are the index patterns visible if you tried to create a new visualization or in the Controls index pattern select?

@alexfrancoeur
Copy link
Author

alexfrancoeur commented Feb 6, 2019
edited
Loading

@nreese I was just about to add a comment and remove the bug status. the Index Pattern service shows both index patterns and fields that are available within them for building visualizations. This is not unique to Maps. I'm happy to close this out and open a separate issue for better handling an "empty map".

@kobelb do you know if we're doing anything in the future to handle this? Would OLS handle this? Seems like we're showcasing sensitive information.

@alexfrancoeur alexfrancoeur removed the bug Fixes for quality problems that affect the customer experience label Feb 6, 2019
@nreese
Copy link
Contributor

nreese commented Feb 6, 2019

@alexfrancoeur I would recommend closing this issue or re-labeling it as an issue about the IndexPattern service.

@alexfrancoeur
Copy link
Author

Closing this issue out, I'll open subsequent issues later

@alexfrancoeur alexfrancoeur mentioned this issue Feb 6, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
[Deprecated-Use Team:Presentation]Team:Geo Former Team Label for Geo Team. Now use Team:Presentation Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nreese @elasticmachine @alexfrancoeur