Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolves UI Breaks from Malformed Roles #131915

Merged
merged 4 commits into from
May 12, 2022
Merged

Resolves UI Breaks from Malformed Roles #131915

merged 4 commits into from
May 12, 2022

Conversation

jeramysoucy
Copy link
Contributor

@jeramysoucy jeramysoucy commented May 10, 2022
edited
Loading

Resolves #124808 where malformed Elasticsearch roles cause Kibana users and roles UIs to not display correctly.

Overview

This PR adds a catch for exceptions thrown in deserialization of Elasticsearch roles during transformation into Kibana format. This provides an additional case to set the transform success flag to false and return from the operation gracefully when a malformed role is encountered, keeping the Kibana Roles and Users UI's intact.

This PR also adds an additional logger parameter to the transform functions, allowing the details of a thrown exception to be logged where previously only a generic message would appear to the Kibana user.

Add "feature_securitySolutionCases.a;;" to a user role
Apply the user role via API
Try to go to Management > Security > Roles or to Management > Security > Users
An error will be illustrated bottom right of the screen

Testing

  1. Use the Kibana Dev Console to add a 'test' role with a malformed privilege.

PUT /_security/role/test
{
 "cluster": [],
 "indices": [],
 "applications": [
 {
  "application": "kibana-.kibana",
  "privileges": [
  "feature_securitySolutionCases.a;;"
  ],
  "resources": [
  "*"
  ]
 }
 ],
 "run_as": [],
 "metadata": {},
 "transient_metadata": {
 "enabled": true
 }
}

  1. Verify the Stack Management > Security > Users screen renders and operates without issue.
  2. Verify the Stack Management > Security > Roles screen renders and operates without issue.
  3. Verify the new 'test' role is displayed and can be selected.
  4. Select the 'test' role. Verify that in the Kibana section of the Edit Role UI a message is displayed informing the use that the role is malformed.

Screen Shot 2022-05-11 at 8 33 04 AM

6. Delete the 'test' role.

@jeramysoucy
Adds catch of exceptions from PrivilegeSerializer deserialize methods…
fc5f6c8 
… to role transform function.

Resolves 124808 where malformed Elasticsearch roles cause Kibana users and roles UIs to not display correctly.
@jeramysoucy jeramysoucy added release_note:fix Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.3.0 v8.2.1 labels May 10, 2022
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@jeramysoucy jeramysoucy added the auto-backport Deprecated - use backport:version if exact versions are needed label May 12, 2022
@jeramysoucy jeramysoucy marked this pull request as ready for review May 12, 2022 05:30
@jeramysoucy jeramysoucy requested a review from a team as a code owner May 12, 2022 05:30
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@azasypkin
Copy link
Member

ACK: will review today

@azasypkin azasypkin self-requested a review May 12, 2022 11:25
azasypkin
azasypkin approved these changes May 12, 2022
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thank you for the exemplary PR i.e. clear and detailed description, steps to verify changes, unit tests and logs!

Note: I think we should backport this fix to 7.17 as well.

x-pack/plugins/security/server/authorization/roles/elasticsearch_role.ts
value: transformResult,
};
} catch (e) {
logger.error(`Error transforming Elasticsearch role: ${getDetailedErrorMessage(e)}`);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding logs! These are immensely helpful when we need to debug anything like this in production.

@jeramysoucy jeramysoucy merged commit f4eb311 into elastic:main May 12, 2022
@kibanamachine
Copy link
Contributor

💔 All backports failed

Status Branch Result
8.2 Backport failed because of merge conflicts
7.17 Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

node scripts/backport --pr 131915

Questions ?

Please refer to the Backport tool documentation

jeramysoucy added a commit to jeramysoucy/kibana that referenced this pull request May 12, 2022
@jeramysoucy
Resolves UI Breaks from Malformed Roles (elastic#131915)
7df9fc5 
* Adds catch of exceptions from PrivilegeSerializer deserialize methods to role transform function.
Resolves 124808 where malformed Elasticsearch roles cause Kibana users and roles UIs to not display correctly.

* Adds logger to role transform functions

* File accidentally not saved prior to last commit

(cherry picked from commit f4eb311)

# Conflicts:
#	x-pack/plugins/security/server/authorization/roles/elasticsearch_role.test.ts
#	x-pack/plugins/security/server/authorization/roles/elasticsearch_role.ts
@jeramysoucy jeramysoucy mentioned this pull request May 12, 2022
Merged
jeramysoucy added a commit to jeramysoucy/kibana that referenced this pull request May 12, 2022
@jeramysoucy
Resolves UI Breaks from Malformed Roles (elastic#131915)
e1ba925 
* Adds catch of exceptions from PrivilegeSerializer deserialize methods to role transform function.
Resolves 124808 where malformed Elasticsearch roles cause Kibana users and roles UIs to not display correctly.

* Adds logger to role transform functions

* File accidentally not saved prior to last commit

(cherry picked from commit f4eb311)

# Conflicts:
#	x-pack/plugins/security/server/authorization/roles/elasticsearch_role.test.ts
#	x-pack/plugins/security/server/authorization/roles/elasticsearch_role.ts
#	x-pack/plugins/security/server/routes/authorization/roles/get.ts
#	x-pack/plugins/security/server/routes/authorization/roles/get_all.ts
@jeramysoucy jeramysoucy mentioned this pull request May 12, 2022
Merged
Bamieh pushed a commit to Bamieh/kibana that referenced this pull request May 16, 2022
@jeramysoucy @Bamieh
Resolves UI Breaks from Malformed Roles (elastic#131915)
10b7200 
* Adds catch of exceptions from PrivilegeSerializer deserialize methods to role transform function.
Resolves 124808 where malformed Elasticsearch roles cause Kibana users and roles UIs to not display correctly.

* Adds logger to role transform functions

* File accidentally not saved prior to last commit
@kibanamachine kibanamachine added the backport missing Added to PRs automatically when the are determined to be missing a backport. label May 16, 2022
@kibanamachine
Copy link
Contributor

Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync.

jeramysoucy added a commit that referenced this pull request May 16, 2022
@jeramysoucy @kibanamachine
[8.2] Resolves UI Breaks from Malformed Roles (#131915) (#132148)
bd49aeb 
* Resolves UI Breaks from Malformed Roles (#131915)

* Adds catch of exceptions from PrivilegeSerializer deserialize methods to role transform function.
Resolves 124808 where malformed Elasticsearch roles cause Kibana users and roles UIs to not display correctly.

* Adds logger to role transform functions

* File accidentally not saved prior to last commit

(cherry picked from commit f4eb311)

# Conflicts:
#	x-pack/plugins/security/server/authorization/roles/elasticsearch_role.test.ts
#	x-pack/plugins/security/server/authorization/roles/elasticsearch_role.ts

* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'

* Fix import and linting errors.

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
@kibanamachine kibanamachine removed the backport missing Added to PRs automatically when the are determined to be missing a backport. label May 16, 2022
jeramysoucy added a commit that referenced this pull request May 16, 2022
@jeramysoucy
[7.17] Resolves UI Breaks from Malformed Roles (#131915) (#132149)
551257f 
* Resolves UI Breaks from Malformed Roles (#131915)

* Adds catch of exceptions from PrivilegeSerializer deserialize methods to role transform function.
Resolves 124808 where malformed Elasticsearch roles cause Kibana users and roles UIs to not display correctly.

* Adds logger to role transform functions

* File accidentally not saved prior to last commit

(cherry picked from commit f4eb311)

# Conflicts:
#	x-pack/plugins/security/server/authorization/roles/elasticsearch_role.test.ts
#	x-pack/plugins/security/server/authorization/roles/elasticsearch_role.ts
#	x-pack/plugins/security/server/routes/authorization/roles/get.ts
#	x-pack/plugins/security/server/routes/authorization/roles/get_all.ts

* Fixed import and test issues.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azasypkin azasypkin azasypkin approved these changes

Assignees
No one assigned
Labels
auto-backport Deprecated - use backport:version if exact versions are needed Feature:Users/Roles/API Keys release_note:fix Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.17.4 v8.2.1 v8.3.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Kibana Users and Roles UI Breaks with Malformed Roles
5 participants
@jeramysoucy @kibana-ci @elasticmachine @azasypkin @kibanamachine