Beginning to use the ES APIs to insert/check privileges #18645
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
legrego
reviewed
Apr 30, 2018
| @@ -48,8 +50,7 @@ export class SecureSavedObjectsClient { | |||
| } | |||
|
|
|||
| async find(options = {}) { | |||
| // TODO(legrego) - need to constrain which types users can search for... | |||
| await this._performAuthorizationCheck(null, 'search', null, options); | |||
| await this._performAuthorizationCheck(options.type, 'search', null, options); | |||
There was a problem hiding this comment.
Is options.type a required search property? If not, what happens within this._performAuthorizationCheck when a type isn't provided?
There was a problem hiding this comment.
I still need to track down all the usages, the basic features that I've tested provide the options.type, and if they don't it's not going to authorize them
There was a problem hiding this comment.
Have you come across any where we aren't providing this?
| @@ -75,22 +76,21 @@ export class SecureSavedObjectsClient { | |||
| } | |||
|
|
|||
| async _performAuthorizationCheck(type, action, attributes = {}, options = {}) { // eslint-disable-line no-unused-vars | |||
There was a problem hiding this comment.
We might be able to remove attributes and options now. It doesn't look like we'll need them.
There was a problem hiding this comment.
Awesome, I'll remove it for the time being and we can add it back if we need to.
| { | ||
| application, | ||
| privileges: [ privilege ], | ||
| resources: [ 'default' ] |
There was a problem hiding this comment.
Do you have any thoughts yet on how we'd make this space aware? We don't need a solution for phase 1, but what do you think about parameterizing or abstracting this piece?
There was a problem hiding this comment.
I've been delaying that for the moment, and have 'default' hard-coded a few places. We can introduce a constant that we use for this at the moment, a bunch of stuff is going to likely change once we become space aware but we'll likely still need the constant around because we'll be treating the default space "special" when it comes to routing and behaving without spaces.
5 tasks
application privileges
legrego
reviewed
May 15, 2018
| return applicationPrivileges; | ||
| } | ||
|
|
||
| const applications = role.applications.filter(x => x.application === application && x.resources.includes(DEFAULT_RESOURCE)); |
There was a problem hiding this comment.
Is the DEFAULT_RESOURCE check only in place until Spaces are implemented?
There was a problem hiding this comment.
I was initially going to try to leave the non-default privilege assignments in place, and this is a remnant of that. I'll go ahead and remove it, I'm not fond of the approach any longer.
| @@ -7,13 +7,13 @@ | |||
| /*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements. | |||
| * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */ | |||
|
|
|||
| export function secureSavedObjectsClientOptionsBuilder(server, options) { | |||
| export function secureSavedObjectsClientOptionsBuilder(server, requestHasPrivileges, options) { | |||
There was a problem hiding this comment.
What was your rationale for making this a named parameter, rather than putting it within the options bag? I'm fine with either, just curious. It eventually makes its way into the Saved Object Client's options one way or another
There was a problem hiding this comment.
I was attempting to follow the convention that you established by passing it the server as a separate parameter. That way the options parameter is the unmodified options that would normally be passed to the SavedObjectClient and we're supplementing it with additional values all inside the secureSavedObjectsClientOptionsBuilder.
When implementing this, I began to question the benefit of the secureSavedObjectsClientOptionsBuilder function and at one point considered inlining the whole thing, but decided on holding off on doing so since you wrote the initial implementation and saw the merit of having it a separate function.
There was a problem hiding this comment.
Well I can't fault you there then 😄
In a perfect world, we would not need the secureSavedObjectsClientOptionsBuilder, but we require this because the options that come out of these builders are passed to the base OSS SavedObjectsClient, and the security plugin needs to swap out the default callCluster implementation when RBAC is enabled (callWithInternalUser vs callWithRequest).
The SOC wrappers don't have the ability to modify the original set of options, which is where these builders come in to play.
There was a problem hiding this comment.
Gotcha, when I mentioned inlining it earlier, I meant something similar to the following in the security/index.js:
savedObjectsClientProvider.addClientOptionBuilder(options => {
const adminCluster = server.plugins.elasticsearch.getCluster('admin');
const { callWithInternalUser } = adminCluster;
return {
...options,
callCluster: callWithInternalUser,
requestHasPrivileges
};
});
There was a problem hiding this comment.
Ah I'm with you now, sorry... I split that out because it seemed like the security plugin's index.js overall did a decent job of not having a lot of its own logic, so I was trying not to throw too much in there. I'm not married to that approach though, so if you think it's clearer to inline, go for it
There was a problem hiding this comment.
I don't feel too strongly either way at this point, I think it all depends on how we surface the hasPrivileges check to other consumers, which I've put off deciding at this moment.
| @@ -56,7 +70,7 @@ <h1 class="kuiTitle"> | |||
| ng-model="role.name" | |||
| required | |||
| pattern="[a-zA-Z_][a-zA-Z0-9_@\-\$\.]*" | |||
| maxlength="30" | |||
There was a problem hiding this comment.
It looks like ES supports role names up to 1024 characters. Is there a reason we don't mirror that on the Kibana side?
There was a problem hiding this comment.
Not a good one! I have an excuse but I won't bore you with it.
| $scope.rbacEnabled = rbacEnabled; | ||
| const kibanaPrivileges = $route.current.locals.kibanaPrivileges; |
There was a problem hiding this comment.
Does it make more sense to call this applicationPrivileges or applicationsPrivileges? If I understand correctly, this represents all of the custom privileges on the role, while $scope.applicationPrivileges below references the privileges for this specific instance of Kibana.
| @@ -75,7 +76,8 @@ export const security = (kibana) => new kibana.Plugin({ | |||
| return { | |||
| secureCookies: config.get('xpack.security.secureCookies'), | |||
| sessionTimeout: config.get('xpack.security.sessionTimeout'), | |||
| rbacEnabled: config.get('xpack.security.rbac.enabled') | |||
| rbacEnabled: config.get('xpack.security.rbac.enabled'), | |||
| rbacApplication: config.get('xpack.security.rbac.application'), | |||
There was a problem hiding this comment.
Since we use the rbacApplication to derive the role name, what do you think about validating that this also conforms to the role naming rules?
Role names must be at least 1 and no more than 1024 characters.
They can contain alphanumeric characters (a-z, A-Z, 0-9), spaces, punctuation, and printable symbols in the Basic Latin (ASCII) block.
Leading or trailing whitespace is not allowed.
There was a problem hiding this comment.
I chose a more restrictive pattern because it'd look inconsistent to accept punctuation and spaces and then append _rbac_user and _rbac_dashboard_only_user to the end.
| const versionPrivilege = getVersionPrivilege(kibanaVersion); | ||
| const loginPrivilege = getLoginPrivilege(); | ||
|
|
||
| const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', { |
There was a problem hiding this comment.
Do we need to add exception handling here? If this call throws, then I think the error will get thrown out of the SavedObjectsClient uninspected, which condradicts its documentation
There was a problem hiding this comment.
Good catch, I'll make sure we're throwing the appropriate wrapped errors.
There was a problem hiding this comment.
Since this will be used outside of the context of the SavedObjectClient, I'm going to have the SavedObjectClient's usage wrap these errors instead of modifying it directly in the hasPrivileges service.
| const success = privilegeCheck.has_all_requested; | ||
| const missingPrivileges = getMissingPrivileges(DEFAULT_RESOURCE, application, privilegeCheck); | ||
|
|
||
| // We include the login privilege on all privileges, so the existence of it and not the version privilege |
There was a problem hiding this comment.
This could very well be YAGNI, but I'll ask anyway: Do we envision having service accounts in the future, for reporting or other background tasks? In other words, could we have accounts that have privileges within Kibana, but without the ability to login and have an interactive session?
There was a problem hiding this comment.
I haven't heard any discussion of service accounts in this form, and they'd all have to authenticate somehow (making the login action relevant). I'm having trouble envisioning a situation where we couldn't rely on the login privilege to be present.
| // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't | ||
| // know whether the user just wasn't authorized for this instance of Kibana in general | ||
| if (missingPrivileges.includes(versionPrivilege) && !missingPrivileges.includes(loginPrivilege)) { | ||
| throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.'); |
There was a problem hiding this comment.
I guess the corrective action would be "Stop doing that", but are there any steps we should document for users who find themselves in this situation? ("no" is a perfectly acceptable answer 😄)
There was a problem hiding this comment.
This is definitely something that we'll want to document. There isn't really a corrective action besides "don't do that" unfortunately.
| expect(applicationParam.privileges).toContain(getLoginPrivilege()); | ||
| }); | ||
|
|
||
| test(`returns false success when has_all_requested`, async () => { |
There was a problem hiding this comment.
It's definitely not proper english.
There was a problem hiding this comment.
issue: it's also returning success = true here
|
I'm not sure if this is within the scope of this PR or not, but I noticed a few authorization issues while testing: Create Index Pattern
View Reporting[follow steps 1-3 above] Access Monitoring App
|
|
With regard to those auth failures that you see happening, they should 'mirror' what is done without RBAC enabled, even though the user experience is less than ideal. |
|
I retested with and without RBAC enabled, and I agree -- thanks for clarifying! I found a separate issue while retesting: It doesn't seem possible to create a new role with RBAC disabled, because there are no app permission defined: |
I just pushed a fix for this, it was affecting the roles pages with RBAC enabled as well if you didn't assign any Kibana privileges (which is completely valid) |
kobelb
commented
May 15, 2018
| try { | ||
| result = await this._hasPrivileges(actions); | ||
| } catch(error) { | ||
| const { reason } = get(error, 'body.error', {}); |
There was a problem hiding this comment.
If we ever get an error thrown when checking the hasPrivileges, I'm considering it a "general error" so it'll surface as a 500. We should've authenticated the user before this point, and we won't get a 403 (as this will just return true/false) and all other exceptions are something we don't want to surface to the user via customized HTTP access codes.
There was a problem hiding this comment.
makes sense. do we have a test(s) for this?
There was a problem hiding this comment.
We're missing a lot of tests in the RBAC Phase 1 branch, I'm going to be working on adding better test coverage in an alternate PR (since I've already done a bit too much in this one).
rhoboat
reviewed
May 15, 2018
| expect(result.success).toBe(true); | ||
| }); | ||
|
|
||
| test(`returns false success when has_all_requested is false`, async () => { |
There was a problem hiding this comment.
nit: wording here is weird too. "false success" just reads weirdly. hmm. i can't suggest something better atm.
There was a problem hiding this comment.
Yeah, I struggled with this one...
success of false read weird also, '{ success: false }' and non-success seemed equally weird. I'm open to alternate suggestions :)
rhoboat
reviewed
May 15, 2018
| return Object.keys(privileges).filter(key => privileges[key] === false); | ||
| }; | ||
|
|
||
| export function createRequestHasPrivileges(server) { |
There was a problem hiding this comment.
potential issue: Maybe it's just me, but this reads so strangely to me. I either want it to be create_RequestHasPrivileges to emphasize we're not creating a request with privileges, which would be weird wording too. Or I want it to be createRequestHasPrivilegesCheck to emphasize that we're creating a checking function, not a privilege, not a request. It's just unclear at first glance what this does.
rhoboat
reviewed
May 15, 2018
|
|
||
| const requestHasPrivileges = createRequestHasPrivileges(mockServer); | ||
| const request = {}; | ||
| const hasPrivileges = requestHasPrivileges(request); |
There was a problem hiding this comment.
what if this was
const hasPrivileges = checkRequestPrivileges(request);
rhoboat
reviewed
May 15, 2018
| foo: true, | ||
| }); | ||
|
|
||
| const requestHasPrivileges = createRequestHasPrivileges(mockServer); |
There was a problem hiding this comment.
what if
const checkRequestPrivileges = createRequestPrivilegesCheck(mockServer);
or
const checkRequestPrivileges = createCheckRequestPrivileges(mockServer);
?
|
I left some comments. Mostly about naming since that was tripping me up as I read. Overall I think it's worth doing. |
legrego
reviewed
May 15, 2018
x-pack/plugins/security/index.js
Outdated
| application: Joi.string().default('kibana'), | ||
| application: Joi.string().default('kibana').regex( | ||
| /[a-zA-Z0-9-_]+/, | ||
| dedent( |
There was a problem hiding this comment.
Does dedent do anything to a single-line string?
There was a problem hiding this comment.
Nope. Originally it was a multi-line when copying the error message from Elasticsearch directly, but after simplifying the regex/description it's no longer needed. Thanks for catching this.
legrego
pushed a commit
to legrego/kibana
that referenced
this pull request
Jun 22, 2018
* Beginning to use the ES APIs to insert/check privileges * Removing todo comment, I think we're good with the current check * Adding ability to edit kibana application privileges * Introducing DEFAULT_RESOURCE constant * Removing unused arguments when performing saved objects auth check * Performing bulkCreate auth more efficiently * Throwing error in SavedObjectClient.find if type isn't provided * Fixing Reporting and removing errant console.log * Introducing a separate hasPrivileges "service" * Adding tests and fleshing out the has privileges "service" * Fixing error message * You can now edit whatever roles you want * We're gonna throw the find error in another PR * Changing conflicting version detection to work when user has no application privileges * Throwing correct error when user is forbidden * Removing unused interceptor * Adding warning if they're editing a role with application privileges we can't edit * Fixing filter... * Beginning to only update privileges when they need to be * More tests * One more test... * Restricting the rbac application name that can be chosen * Removing DEFAULT_RESOURCE check * Supporting 1024 characters for the role name * Renaming some variables, fixing issue with role w/ no kibana privileges * Throwing decorated general error when appropriate * Fixing test description * Dedent does nothing... * Renaming some functions
kobelb
added a commit
that referenced
this pull request
Jul 24, 2018
* partial implementation for OLS Phase 1 * Allow Saved Objects Client to be wrapped * Add placeholder "kibana.namespace" configuration property * revert changes to saved objects client * Remove circular dependency * Removing namespace setting, we're using xpack.security.rbac.application * Adding config.getDefault * Expose SavedObjectsClientProvider on the server for easy plugin consumption * migrate x-pack changes into kibana * Beginning to use the ES APIs to insert/check privileges (#18645) * Beginning to use the ES APIs to insert/check privileges * Removing todo comment, I think we're good with the current check * Adding ability to edit kibana application privileges * Introducing DEFAULT_RESOURCE constant * Removing unused arguments when performing saved objects auth check * Performing bulkCreate auth more efficiently * Throwing error in SavedObjectClient.find if type isn't provided * Fixing Reporting and removing errant console.log * Introducing a separate hasPrivileges "service" * Adding tests and fleshing out the has privileges "service" * Fixing error message * You can now edit whatever roles you want * We're gonna throw the find error in another PR * Changing conflicting version detection to work when user has no application privileges * Throwing correct error when user is forbidden * Removing unused interceptor * Adding warning if they're editing a role with application privileges we can't edit * Fixing filter... * Beginning to only update privileges when they need to be * More tests * One more test... * Restricting the rbac application name that can be chosen * Removing DEFAULT_RESOURCE check * Supporting 1024 characters for the role name * Renaming some variables, fixing issue with role w/ no kibana privileges * Throwing decorated general error when appropriate * Fixing test description * Dedent does nothing... * Renaming some functions * Adding built-in types and alphabetizing (#19306) * Filtering out non-default resource Kibana privileges (#19321) * Removing unused file * Adding kibana_rbac_dashboard_only_user to dashboard only mode roles (#19511) * Adding create default roles test (#19505) * RBAC - SecurityAuditLogger (#19571) * Manually porting over the AuditLogger for use within the security audit logger * HasPrivileges now returns the user from the request * Has privileges returns username from privilegeCheck * Adding first eventType to the security audit logger * Adding authorization success message * Logging arguments when authorization success * Fixing test description * Logging args during audit failures * RBAC Integration Tests (#19647) * Porting over the saved objects tests, a bunch are failing, I believe because security is preventing the requests * Running saved objects tests with rbac and xsrf disabled * Adding users * BulkGet now tests under 3 users * Adding create tests * Adding delete tests * Adding find tests * Adding get tests * Adding bulkGet forbidden tests * Adding not a kibana user tests * Update tests * Renaming the actions/privileges to be closer to the functions on the saved object client itself * Cleaning up tests and removing without index tests I'm considering the without index tests to be out of scope for the RBAC API testing, and we already have unit coverage for these and integration coverage via the OSS Saved Objects API tests. * Fixing misspelling * Fixing "conflicts" after merging master * Removing some white-space differences * Deleting files that got left behind in a merge * Adding the RBAC API Integration Tests * SavedObjectClient.find filtering (#19708) * Adding ability to specify filters when calling the repository * Implementing find filtering * Revert "Adding ability to specify filters when calling the repository" This reverts commit 9da30a1. * Adding integration tests for find filtering * Adding forbidden auth logging * Adding asserts to make sure some audit log isn't used * Adding more audit log specific tests * Necessarly is not a work, unfortunately * Fixing test * More descriptive name than "result" * Better unauthorized find message? * Adding getTypes tests * Trying to isolate cause of rbac test failures * Adding .toLowerCase() to work around capitalization issue * No longer exposing the auditLogger, we don't need it like that right now * Removing some unused code * Removing defaultSettings from test that doesn't utilize them * Fixing misspelling * Don't need an explicit login privilege when we have them all * Removing unused code, fixing misspelling, adding comment * Putting a file back * No longer creating the roles on start-up (#19799) * Removing kibana_rbac_dashboard_only_user from dashboard only role defaults * Fixing small issue with editing Kibana privileges * [RBAC Phase 1] - Update application privileges when XPack license changes (#19839) * Adding start to supporting basic license and switching to plat/gold * Initialize application privilages on XPack license change * restore mirror_status_and_initialize * additional tests and peer review updates * Introducing watchStatusAndLicenseToInitialize * Adding some tests * One more test * Even better tests * Removing unused mirrorStatusAndInitialize * Throwing an error if the wrong status function is called * RBAC Legacy Fallback (#19818) * Basic implementation, rather sloppy * Cleaning stuff up a bit * Beginning to write tests, going to refactor how we build the privileges * Making the buildPrivilegesMap no longer return application name as the main key * Using real privileges since we need to use them for the legacy fallback * Adding more tests * Fixing spelling * Fixing test description * Fixing comment description * Adding similar line breaks in the has privilege calls * No more settings * No more rbac enabled setting, we just do RBAC * Using describe to cleanup the test cases * Logging deprecations when using the legacy fallback * Cleaning up a bit... * Using the privilegeMap for the legacy fallback tests * Now with even less duplication * Removing stray `rbacEnabled` from angularjs * Fixing checkLicenses tests since we added RBAC * [Flaky Test] - wait for page load to complete (#19895) @kobelb this seems unrelated to our RBAC Phase 1 work, but I was able to consistently reproduce this on my machine. * [Flaky Test] Fixes flaky role test (#19899) Here's a fix for the latest flaky test @kobelb * Now with even easier repository access * Sample was including login/version privileges, which was occasionally (#19915) causing issues that were really hard to replicate * Dynamic types (#19925) No more hard-coded types! This will make it so that plugins that register their own mappings just transparently work. * start to address feedback * Fix RBAC Phase 1 merge from master (#20226) This updates RBAC Phase 1 to work against the latest master. Specifically: 1. Removes `xpack_main`'s `registerLicenseChangeCallback`, which we introduced in `security-app-privs`, in favor of `onLicenseInfoChange`, which was recently added to master 2. Updated `x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js` to be compliant with rxjs v6 * Retrying initialize 20 times with a scaling backoff (#20297) * Retrying initialize 20 times with a scaling backoff * Logging error when we are registering the privileges * Alternate legacy fallback (#20322) * Beginning to use alternate callWithRequest fallback * Only use legacy fallback when user has "some" privileges on index * Logging useLegacyFallback when there's an authorization failure * Adding tests, logging failure during find no types fallback * Switching to using an enum instead of success/useLegacyFallback * Using _execute to share some of the structure * Moving comment to where it belongs * No longer audit logging when we use the legacy fallback * Setting the status to red on the first error then continually (#20343) initializing * Renaming get*Privilege to get*Action * Adding "instance" to alert about other application privileges * Revising some of the naming for the edit roles screen * One more edit role variable renamed * hasPrivileges is now checkPrivileges * Revising check_license tests * Adding 2 more privileges tests * Moving the other _find method to be near his friend * Spelling "returning" correctly, whoops * Adding Privileges tests * tests for Elasticsearch's privileges APIs * Switching the hard-coded resource from 'default' to * * Throw error before we execute a POST privilege call that won't work * Resolving issue when initially registering privileges * Logging legacy fallback deprecation warning on login (#20493) * Logging legacy fallback deprecation on login * Consolidation the privileges/authorization folder * Exposing rudimentary authorization service and fixing authenticate tests * Moving authorization services configuration to initAuthorization * Adding "actions" service exposed by the authorization * Fixing misspelling * Removing invalid and unused exports * Adding note about only adding privileges * Calling it initAuthorizationService * Throwing explicit validation error in actions.getSavedObjectAction * Deep freezing authorization service * Adding deepFreeze tests * Checking privileges in one call and cleaning up tests * Deriving application from Kibana index (#20614) * Specifying the application on the "authorization service" * Moving watchStatusAndLicenseToInitialize to be below initAuthorizationService * Using short-hand propery assignment * Validate ES has_privileges response before trusting it (#20682) * validate elasticsearch has_privileges response before trusting it * address feedback * Removing unused setting * Public Role APIs (#20732) * Beginning to work on external role management APIs * Refactoring GET tests and adding more permutations * Adding test for excluding other resources * Adding get role tests * Splitting out the endpoints, or else it's gonna get overwhelming * Splitting out the post and delete actions * Beginning to work on POST and the tests * Posting the updated role * Adding update tests * Modifying the UI to use the new public APIs * Removing internal roles API * Moving the rbac api integration setup tests to use the public role apis * Testing field_security and query * Adding create role tests * We can't update the transient_metadata... * Removing debugger * Update and delete tests * Returning a 204 when POSTing a Role. * Switching POST to PUT and roles to role * We don't need the rbacApplication client-side anymore * Adding delete route tests * Using not found instead of not acceptable, as that's more likely * Only allowing us to PUT known Kibana privileges * Removing transient_metadata * Removing one letter variable names * Using PUT instead of POST when saving roles * Fixing broken tests * Adding setting to allow the user to turn off the legacy fallback (#20766) * Pulling the version from the kibana server * Deleting unused file * Add API integration tests for roles with index and app privileges (#21033) * Rbac phase1 functional UI tests (#20949) * rbac functional tests * changes to the test file * RBAC_functional test * incorporating review feedback * slight modification to the addPriv() to cover all tests * removed the @ in secure roles and perm file in the describe block and made it look more relevant * Fixing role management API from users * Set a timeout when we try/catch a find, so it doesn't pause a long time * Changing the way we detect if a user is reserved for the ftr * Skipping flaky test
kobelb
added a commit
to kobelb/kibana
that referenced
this pull request
Jul 24, 2018
* partial implementation for OLS Phase 1 * Allow Saved Objects Client to be wrapped * Add placeholder "kibana.namespace" configuration property * revert changes to saved objects client * Remove circular dependency * Removing namespace setting, we're using xpack.security.rbac.application * Adding config.getDefault * Expose SavedObjectsClientProvider on the server for easy plugin consumption * migrate x-pack changes into kibana * Beginning to use the ES APIs to insert/check privileges (elastic#18645) * Beginning to use the ES APIs to insert/check privileges * Removing todo comment, I think we're good with the current check * Adding ability to edit kibana application privileges * Introducing DEFAULT_RESOURCE constant * Removing unused arguments when performing saved objects auth check * Performing bulkCreate auth more efficiently * Throwing error in SavedObjectClient.find if type isn't provided * Fixing Reporting and removing errant console.log * Introducing a separate hasPrivileges "service" * Adding tests and fleshing out the has privileges "service" * Fixing error message * You can now edit whatever roles you want * We're gonna throw the find error in another PR * Changing conflicting version detection to work when user has no application privileges * Throwing correct error when user is forbidden * Removing unused interceptor * Adding warning if they're editing a role with application privileges we can't edit * Fixing filter... * Beginning to only update privileges when they need to be * More tests * One more test... * Restricting the rbac application name that can be chosen * Removing DEFAULT_RESOURCE check * Supporting 1024 characters for the role name * Renaming some variables, fixing issue with role w/ no kibana privileges * Throwing decorated general error when appropriate * Fixing test description * Dedent does nothing... * Renaming some functions * Adding built-in types and alphabetizing (elastic#19306) * Filtering out non-default resource Kibana privileges (elastic#19321) * Removing unused file * Adding kibana_rbac_dashboard_only_user to dashboard only mode roles (elastic#19511) * Adding create default roles test (elastic#19505) * RBAC - SecurityAuditLogger (elastic#19571) * Manually porting over the AuditLogger for use within the security audit logger * HasPrivileges now returns the user from the request * Has privileges returns username from privilegeCheck * Adding first eventType to the security audit logger * Adding authorization success message * Logging arguments when authorization success * Fixing test description * Logging args during audit failures * RBAC Integration Tests (elastic#19647) * Porting over the saved objects tests, a bunch are failing, I believe because security is preventing the requests * Running saved objects tests with rbac and xsrf disabled * Adding users * BulkGet now tests under 3 users * Adding create tests * Adding delete tests * Adding find tests * Adding get tests * Adding bulkGet forbidden tests * Adding not a kibana user tests * Update tests * Renaming the actions/privileges to be closer to the functions on the saved object client itself * Cleaning up tests and removing without index tests I'm considering the without index tests to be out of scope for the RBAC API testing, and we already have unit coverage for these and integration coverage via the OSS Saved Objects API tests. * Fixing misspelling * Fixing "conflicts" after merging master * Removing some white-space differences * Deleting files that got left behind in a merge * Adding the RBAC API Integration Tests * SavedObjectClient.find filtering (elastic#19708) * Adding ability to specify filters when calling the repository * Implementing find filtering * Revert "Adding ability to specify filters when calling the repository" This reverts commit 9da30a1. * Adding integration tests for find filtering * Adding forbidden auth logging * Adding asserts to make sure some audit log isn't used * Adding more audit log specific tests * Necessarly is not a work, unfortunately * Fixing test * More descriptive name than "result" * Better unauthorized find message? * Adding getTypes tests * Trying to isolate cause of rbac test failures * Adding .toLowerCase() to work around capitalization issue * No longer exposing the auditLogger, we don't need it like that right now * Removing some unused code * Removing defaultSettings from test that doesn't utilize them * Fixing misspelling * Don't need an explicit login privilege when we have them all * Removing unused code, fixing misspelling, adding comment * Putting a file back * No longer creating the roles on start-up (elastic#19799) * Removing kibana_rbac_dashboard_only_user from dashboard only role defaults * Fixing small issue with editing Kibana privileges * [RBAC Phase 1] - Update application privileges when XPack license changes (elastic#19839) * Adding start to supporting basic license and switching to plat/gold * Initialize application privilages on XPack license change * restore mirror_status_and_initialize * additional tests and peer review updates * Introducing watchStatusAndLicenseToInitialize * Adding some tests * One more test * Even better tests * Removing unused mirrorStatusAndInitialize * Throwing an error if the wrong status function is called * RBAC Legacy Fallback (elastic#19818) * Basic implementation, rather sloppy * Cleaning stuff up a bit * Beginning to write tests, going to refactor how we build the privileges * Making the buildPrivilegesMap no longer return application name as the main key * Using real privileges since we need to use them for the legacy fallback * Adding more tests * Fixing spelling * Fixing test description * Fixing comment description * Adding similar line breaks in the has privilege calls * No more settings * No more rbac enabled setting, we just do RBAC * Using describe to cleanup the test cases * Logging deprecations when using the legacy fallback * Cleaning up a bit... * Using the privilegeMap for the legacy fallback tests * Now with even less duplication * Removing stray `rbacEnabled` from angularjs * Fixing checkLicenses tests since we added RBAC * [Flaky Test] - wait for page load to complete (elastic#19895) @kobelb this seems unrelated to our RBAC Phase 1 work, but I was able to consistently reproduce this on my machine. * [Flaky Test] Fixes flaky role test (elastic#19899) Here's a fix for the latest flaky test @kobelb * Now with even easier repository access * Sample was including login/version privileges, which was occasionally (elastic#19915) causing issues that were really hard to replicate * Dynamic types (elastic#19925) No more hard-coded types! This will make it so that plugins that register their own mappings just transparently work. * start to address feedback * Fix RBAC Phase 1 merge from master (elastic#20226) This updates RBAC Phase 1 to work against the latest master. Specifically: 1. Removes `xpack_main`'s `registerLicenseChangeCallback`, which we introduced in `security-app-privs`, in favor of `onLicenseInfoChange`, which was recently added to master 2. Updated `x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js` to be compliant with rxjs v6 * Retrying initialize 20 times with a scaling backoff (elastic#20297) * Retrying initialize 20 times with a scaling backoff * Logging error when we are registering the privileges * Alternate legacy fallback (elastic#20322) * Beginning to use alternate callWithRequest fallback * Only use legacy fallback when user has "some" privileges on index * Logging useLegacyFallback when there's an authorization failure * Adding tests, logging failure during find no types fallback * Switching to using an enum instead of success/useLegacyFallback * Using _execute to share some of the structure * Moving comment to where it belongs * No longer audit logging when we use the legacy fallback * Setting the status to red on the first error then continually (elastic#20343) initializing * Renaming get*Privilege to get*Action * Adding "instance" to alert about other application privileges * Revising some of the naming for the edit roles screen * One more edit role variable renamed * hasPrivileges is now checkPrivileges * Revising check_license tests * Adding 2 more privileges tests * Moving the other _find method to be near his friend * Spelling "returning" correctly, whoops * Adding Privileges tests * tests for Elasticsearch's privileges APIs * Switching the hard-coded resource from 'default' to * * Throw error before we execute a POST privilege call that won't work * Resolving issue when initially registering privileges * Logging legacy fallback deprecation warning on login (elastic#20493) * Logging legacy fallback deprecation on login * Consolidation the privileges/authorization folder * Exposing rudimentary authorization service and fixing authenticate tests * Moving authorization services configuration to initAuthorization * Adding "actions" service exposed by the authorization * Fixing misspelling * Removing invalid and unused exports * Adding note about only adding privileges * Calling it initAuthorizationService * Throwing explicit validation error in actions.getSavedObjectAction * Deep freezing authorization service * Adding deepFreeze tests * Checking privileges in one call and cleaning up tests * Deriving application from Kibana index (elastic#20614) * Specifying the application on the "authorization service" * Moving watchStatusAndLicenseToInitialize to be below initAuthorizationService * Using short-hand propery assignment * Validate ES has_privileges response before trusting it (elastic#20682) * validate elasticsearch has_privileges response before trusting it * address feedback * Removing unused setting * Public Role APIs (elastic#20732) * Beginning to work on external role management APIs * Refactoring GET tests and adding more permutations * Adding test for excluding other resources * Adding get role tests * Splitting out the endpoints, or else it's gonna get overwhelming * Splitting out the post and delete actions * Beginning to work on POST and the tests * Posting the updated role * Adding update tests * Modifying the UI to use the new public APIs * Removing internal roles API * Moving the rbac api integration setup tests to use the public role apis * Testing field_security and query * Adding create role tests * We can't update the transient_metadata... * Removing debugger * Update and delete tests * Returning a 204 when POSTing a Role. * Switching POST to PUT and roles to role * We don't need the rbacApplication client-side anymore * Adding delete route tests * Using not found instead of not acceptable, as that's more likely * Only allowing us to PUT known Kibana privileges * Removing transient_metadata * Removing one letter variable names * Using PUT instead of POST when saving roles * Fixing broken tests * Adding setting to allow the user to turn off the legacy fallback (elastic#20766) * Pulling the version from the kibana server * Deleting unused file * Add API integration tests for roles with index and app privileges (elastic#21033) * Rbac phase1 functional UI tests (elastic#20949) * rbac functional tests * changes to the test file * RBAC_functional test * incorporating review feedback * slight modification to the addPriv() to cover all tests * removed the @ in secure roles and perm file in the describe block and made it look more relevant * Fixing role management API from users * Set a timeout when we try/catch a find, so it doesn't pause a long time * Changing the way we detect if a user is reserved for the ftr * Skipping flaky test
kobelb
added a commit
that referenced
this pull request
Jul 24, 2018
* partial implementation for OLS Phase 1 * Allow Saved Objects Client to be wrapped * Add placeholder "kibana.namespace" configuration property * revert changes to saved objects client * Remove circular dependency * Removing namespace setting, we're using xpack.security.rbac.application * Adding config.getDefault * Expose SavedObjectsClientProvider on the server for easy plugin consumption * migrate x-pack changes into kibana * Beginning to use the ES APIs to insert/check privileges (#18645) * Beginning to use the ES APIs to insert/check privileges * Removing todo comment, I think we're good with the current check * Adding ability to edit kibana application privileges * Introducing DEFAULT_RESOURCE constant * Removing unused arguments when performing saved objects auth check * Performing bulkCreate auth more efficiently * Throwing error in SavedObjectClient.find if type isn't provided * Fixing Reporting and removing errant console.log * Introducing a separate hasPrivileges "service" * Adding tests and fleshing out the has privileges "service" * Fixing error message * You can now edit whatever roles you want * We're gonna throw the find error in another PR * Changing conflicting version detection to work when user has no application privileges * Throwing correct error when user is forbidden * Removing unused interceptor * Adding warning if they're editing a role with application privileges we can't edit * Fixing filter... * Beginning to only update privileges when they need to be * More tests * One more test... * Restricting the rbac application name that can be chosen * Removing DEFAULT_RESOURCE check * Supporting 1024 characters for the role name * Renaming some variables, fixing issue with role w/ no kibana privileges * Throwing decorated general error when appropriate * Fixing test description * Dedent does nothing... * Renaming some functions * Adding built-in types and alphabetizing (#19306) * Filtering out non-default resource Kibana privileges (#19321) * Removing unused file * Adding kibana_rbac_dashboard_only_user to dashboard only mode roles (#19511) * Adding create default roles test (#19505) * RBAC - SecurityAuditLogger (#19571) * Manually porting over the AuditLogger for use within the security audit logger * HasPrivileges now returns the user from the request * Has privileges returns username from privilegeCheck * Adding first eventType to the security audit logger * Adding authorization success message * Logging arguments when authorization success * Fixing test description * Logging args during audit failures * RBAC Integration Tests (#19647) * Porting over the saved objects tests, a bunch are failing, I believe because security is preventing the requests * Running saved objects tests with rbac and xsrf disabled * Adding users * BulkGet now tests under 3 users * Adding create tests * Adding delete tests * Adding find tests * Adding get tests * Adding bulkGet forbidden tests * Adding not a kibana user tests * Update tests * Renaming the actions/privileges to be closer to the functions on the saved object client itself * Cleaning up tests and removing without index tests I'm considering the without index tests to be out of scope for the RBAC API testing, and we already have unit coverage for these and integration coverage via the OSS Saved Objects API tests. * Fixing misspelling * Fixing "conflicts" after merging master * Removing some white-space differences * Deleting files that got left behind in a merge * Adding the RBAC API Integration Tests * SavedObjectClient.find filtering (#19708) * Adding ability to specify filters when calling the repository * Implementing find filtering * Revert "Adding ability to specify filters when calling the repository" This reverts commit 9da30a1. * Adding integration tests for find filtering * Adding forbidden auth logging * Adding asserts to make sure some audit log isn't used * Adding more audit log specific tests * Necessarly is not a work, unfortunately * Fixing test * More descriptive name than "result" * Better unauthorized find message? * Adding getTypes tests * Trying to isolate cause of rbac test failures * Adding .toLowerCase() to work around capitalization issue * No longer exposing the auditLogger, we don't need it like that right now * Removing some unused code * Removing defaultSettings from test that doesn't utilize them * Fixing misspelling * Don't need an explicit login privilege when we have them all * Removing unused code, fixing misspelling, adding comment * Putting a file back * No longer creating the roles on start-up (#19799) * Removing kibana_rbac_dashboard_only_user from dashboard only role defaults * Fixing small issue with editing Kibana privileges * [RBAC Phase 1] - Update application privileges when XPack license changes (#19839) * Adding start to supporting basic license and switching to plat/gold * Initialize application privilages on XPack license change * restore mirror_status_and_initialize * additional tests and peer review updates * Introducing watchStatusAndLicenseToInitialize * Adding some tests * One more test * Even better tests * Removing unused mirrorStatusAndInitialize * Throwing an error if the wrong status function is called * RBAC Legacy Fallback (#19818) * Basic implementation, rather sloppy * Cleaning stuff up a bit * Beginning to write tests, going to refactor how we build the privileges * Making the buildPrivilegesMap no longer return application name as the main key * Using real privileges since we need to use them for the legacy fallback * Adding more tests * Fixing spelling * Fixing test description * Fixing comment description * Adding similar line breaks in the has privilege calls * No more settings * No more rbac enabled setting, we just do RBAC * Using describe to cleanup the test cases * Logging deprecations when using the legacy fallback * Cleaning up a bit... * Using the privilegeMap for the legacy fallback tests * Now with even less duplication * Removing stray `rbacEnabled` from angularjs * Fixing checkLicenses tests since we added RBAC * [Flaky Test] - wait for page load to complete (#19895) @kobelb this seems unrelated to our RBAC Phase 1 work, but I was able to consistently reproduce this on my machine. * [Flaky Test] Fixes flaky role test (#19899) Here's a fix for the latest flaky test @kobelb * Now with even easier repository access * Sample was including login/version privileges, which was occasionally (#19915) causing issues that were really hard to replicate * Dynamic types (#19925) No more hard-coded types! This will make it so that plugins that register their own mappings just transparently work. * start to address feedback * Fix RBAC Phase 1 merge from master (#20226) This updates RBAC Phase 1 to work against the latest master. Specifically: 1. Removes `xpack_main`'s `registerLicenseChangeCallback`, which we introduced in `security-app-privs`, in favor of `onLicenseInfoChange`, which was recently added to master 2. Updated `x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js` to be compliant with rxjs v6 * Retrying initialize 20 times with a scaling backoff (#20297) * Retrying initialize 20 times with a scaling backoff * Logging error when we are registering the privileges * Alternate legacy fallback (#20322) * Beginning to use alternate callWithRequest fallback * Only use legacy fallback when user has "some" privileges on index * Logging useLegacyFallback when there's an authorization failure * Adding tests, logging failure during find no types fallback * Switching to using an enum instead of success/useLegacyFallback * Using _execute to share some of the structure * Moving comment to where it belongs * No longer audit logging when we use the legacy fallback * Setting the status to red on the first error then continually (#20343) initializing * Renaming get*Privilege to get*Action * Adding "instance" to alert about other application privileges * Revising some of the naming for the edit roles screen * One more edit role variable renamed * hasPrivileges is now checkPrivileges * Revising check_license tests * Adding 2 more privileges tests * Moving the other _find method to be near his friend * Spelling "returning" correctly, whoops * Adding Privileges tests * tests for Elasticsearch's privileges APIs * Switching the hard-coded resource from 'default' to * * Throw error before we execute a POST privilege call that won't work * Resolving issue when initially registering privileges * Logging legacy fallback deprecation warning on login (#20493) * Logging legacy fallback deprecation on login * Consolidation the privileges/authorization folder * Exposing rudimentary authorization service and fixing authenticate tests * Moving authorization services configuration to initAuthorization * Adding "actions" service exposed by the authorization * Fixing misspelling * Removing invalid and unused exports * Adding note about only adding privileges * Calling it initAuthorizationService * Throwing explicit validation error in actions.getSavedObjectAction * Deep freezing authorization service * Adding deepFreeze tests * Checking privileges in one call and cleaning up tests * Deriving application from Kibana index (#20614) * Specifying the application on the "authorization service" * Moving watchStatusAndLicenseToInitialize to be below initAuthorizationService * Using short-hand propery assignment * Validate ES has_privileges response before trusting it (#20682) * validate elasticsearch has_privileges response before trusting it * address feedback * Removing unused setting * Public Role APIs (#20732) * Beginning to work on external role management APIs * Refactoring GET tests and adding more permutations * Adding test for excluding other resources * Adding get role tests * Splitting out the endpoints, or else it's gonna get overwhelming * Splitting out the post and delete actions * Beginning to work on POST and the tests * Posting the updated role * Adding update tests * Modifying the UI to use the new public APIs * Removing internal roles API * Moving the rbac api integration setup tests to use the public role apis * Testing field_security and query * Adding create role tests * We can't update the transient_metadata... * Removing debugger * Update and delete tests * Returning a 204 when POSTing a Role. * Switching POST to PUT and roles to role * We don't need the rbacApplication client-side anymore * Adding delete route tests * Using not found instead of not acceptable, as that's more likely * Only allowing us to PUT known Kibana privileges * Removing transient_metadata * Removing one letter variable names * Using PUT instead of POST when saving roles * Fixing broken tests * Adding setting to allow the user to turn off the legacy fallback (#20766) * Pulling the version from the kibana server * Deleting unused file * Add API integration tests for roles with index and app privileges (#21033) * Rbac phase1 functional UI tests (#20949) * rbac functional tests * changes to the test file * RBAC_functional test * incorporating review feedback * slight modification to the addPriv() to cover all tests * removed the @ in secure roles and perm file in the describe block and made it look more relevant * Fixing role management API from users * Set a timeout when we try/catch a find, so it doesn't pause a long time * Changing the way we detect if a user is reserved for the ftr * Skipping flaky test
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.