Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Public Role APIs #20732

Merged
merged 28 commits into from
Jul 13, 2018
Merged

Public Role APIs #20732

merged 28 commits into from
Jul 13, 2018

Conversation

kobelb
Copy link
Contributor

@kobelb kobelb commented Jul 12, 2018

Adding public APIs for managing Kibana roles.

@kobelb kobelb requested a review from legrego July 12, 2018 17:32
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

import { uiModules } from 'ui/modules';

const module = uiModules.get('security', ['ngResource']);
module.service('ShieldRole', ($resource, chrome) => {
return $resource(chrome.addBasePath('/api/security/v1/roles/:name'), {
return $resource(chrome.addBasePath('/api/security/roles/:name'), {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a precedent for versioning public APIs within Kibana yet? If not, what are your thoughts on introducing a v1 prefix or similar?

My concern is that, in general, these APIs will become as fluid as the current plugin API over time, with potential breaking changes within minor/patch releases.

const getKibanaPrivileges = (applicationPrivileges, roleApplications, application) => {
const kibanaPrivileges = applicationPrivileges.reduce((acc, p) => {
const getKibanaPrivilegesViewModel = (applicationPrivileges, roleKibanaPrivileges) => {
const viewModel = applicationPrivileges.reduce((acc, p) => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: avoid one letter variables

method: 'DELETE',
path: '/api/security/roles/{name}',
handler(request, reply) {
const name = request.params.name;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Edit - I'm withdrawing this comment, but leaving it here for posterity.

Since this is a public API, I feel like we may want to have more robust error handling.

In my testing, executing DELETE /api/security/roles/this-does-not-exist correctly returns a 404 from Elasticsearch:

{"statusCode":404,"error":"Not Found","message":"Not Found"}

But from the Kibana API perspective, it's ambiguous. Is this saying that the API endpoint wasn't found, or that the role wasn't found?

ignore: [404],
});

const body = transformRolesToEs(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now, it lets me submit the following request:

{
"elasticsearch":{"cluster":[],"indices":[],"run_as":[]},
"kibana":[{"privileges":["all", "all", "read", "foo"]}]
}

Do you think we should fail the request when it contains privileges that we aren't aware of? What about the case of duplicate privilege/resource entries?

I know that the ES API technically allows users to do this, but I worry that someone will mistakenly (or maliciously) get a privilege associated that exists in a future version of Kibana. When that instance is upgraded, that role will suddenly have permissions within Kibana that weren't necessarily intended for them.

payload,
existingApplications = []
) => {
debugger; //eslint-disable-line
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably don't need this anymore

ignore: [404],
});

const body = transformRolesToEs(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know the ES API technically allows this, but what do you think about whitelisting the set of privileges users can assign here?

I'm worried that someone will accidentally (or maliciously) assign a privilege that exists in a future version of Kibana, so when that installation is upgraded, then this role will have privileges that weren't intended for it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can add validation for this, sure.

I'm not too worried about someone maliciously doing this, as they'd have to have the cluster manage_security privilege and have future knowledge about versions of Kibana, so it's more to prevent an accidental privilege that isn't actually used.

import { uiModules } from 'ui/modules';

const module = uiModules.get('security', ['ngResource']);
module.service('ShieldRole', ($resource, chrome) => {
return $resource(chrome.addBasePath('/api/security/v1/roles/:name'), {
return $resource(chrome.addBasePath('/api/security/role/:name'), {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a precedent for how to version our public APIs yet? I'm concerned that not including a version number will prevent us from iterating in minor versions. Or at the other side of the spectrum, these public APIs could inadvertently become fluid like our plugin API, where users have to tie to a specific minor/patch release.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We want our public APIs to be versioned with our "product version" so that when we do a major release, we are able to make breaking changes to the APIs. If we had to do a breaking change in a minor, we'd have to put it in the release notes and have a very good reason for doing so. We don't want "multiple versions" for stuff like this.

@elasticmachine
Copy link
Contributor

💔 Build Failed

Copy link
Member

@legrego legrego left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really good overall, nice work!

In going over this, I'm starting to question the cost/benefit here. To be clear, I'm not saying we shouldn't do this, but I have concerns.

On one hand, I love that we are providing a usable facade for managing Kibana privileges without having to understand the internal privilege structure. Not having this would be an administrative nightmare for users who automate their deployment and configuration.

On the other hand, it seems strange to me that we will now have two publically documented APIs which allow users to manage their roles. Both are supported, but only one of them will really be "usable" if the intent is to assign Kibana privileges to that role. This argument could be extended to any other application which decides to take advantage of the ES privilege system. I feel like a more holistic approach would be to have ES expose a "privilege-friendly" API, although I'm really not sure what that would look like. Answering "it depends" when users ask which one to use further complicates an already complex setup.

I can see that you attempted to mitigate some of this by making this API as close to the ES API as possible, and I think some of my comments about allowing certain operations contradict this effort. So I'm clearly at odds with myself here, and I don't know how to resolve that 😄

);

return pick({
metadata: payload.metadata,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want the Kibana API to allow callers to set arbitrary metadata here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do, because Elasticsearch does.


return pick({
metadata: payload.metadata,
transient_metadata: payload.transient_metadata,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The payload schema above does not allow transient_metadata to be specified. If we add it to the schema, is this something we want callers to arbitrarily set too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, we don't want to be allowing this property to be PUT into Elasticsearch, when we do so Elasticsearch just ignored it anyway.

@kobelb
Copy link
Contributor Author

kobelb commented Jul 13, 2018

@legrego those are valid concerns, but having a public API that can be used to manage Kibana privileges without having to go into the details of how Kibana utilizes Elasticsearch's application privileges in the docs is better than the alternative at this point. Over time, we might need to push more of this to Elasticsearch to make user's lives easier, but I think we're in a better place with this approach than without it.

@elasticmachine
Copy link
Contributor

💔 Build Failed

},
});

putRoleTest(`only allows known Kibana privileges`, {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't appear to be testing "only allows known Kibana privileges"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doesn't allow non-known Kibana privilege?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, that was a really confusing comment. It looks like the test is asserting on child "name" fails because ["name" length must be less than or equal to 1024 characters long] instead of on an unknown Kibana privilege.

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

@kobelb kobelb merged commit a597976 into elastic:security-app-privs Jul 13, 2018
@kobelb kobelb deleted the external-apis branch July 13, 2018 16:38
@elasticmachine
Copy link
Contributor

💔 Build Failed

legrego added a commit that referenced this pull request Jul 20, 2018
This PR updates the new Role Management screen to use the public role API introduced as part of #20732.

Additionally, this updates the breadcrumb nav for Spaces and Role management screens to be consistent with the nav introduced in #20739.

There are a couple of visual glitches in this PR which are a result of current defects on master, so they can be safely ignored for the time being.
kobelb added a commit that referenced this pull request Jul 24, 2018
* partial implementation for OLS Phase 1

* Allow Saved Objects Client to be wrapped

* Add placeholder "kibana.namespace" configuration property

* revert changes to saved objects client

* Remove circular dependency

* Removing namespace setting, we're using xpack.security.rbac.application

* Adding config.getDefault

* Expose SavedObjectsClientProvider on the server for easy plugin consumption

* migrate x-pack changes into kibana

* Beginning to use the ES APIs to insert/check privileges (#18645)

* Beginning to use the ES APIs to insert/check privileges

* Removing todo comment, I think we're good with the current check

* Adding ability to edit kibana application privileges

* Introducing DEFAULT_RESOURCE constant

* Removing unused arguments when performing saved objects auth check

* Performing bulkCreate auth more efficiently

* Throwing error in SavedObjectClient.find if type isn't provided

* Fixing Reporting and removing errant console.log

* Introducing a separate hasPrivileges "service"

* Adding tests and fleshing out the has privileges "service"

* Fixing error message

* You can now edit whatever roles you want

* We're gonna throw the find error in another PR

* Changing conflicting version detection to work when user has no
application privileges

* Throwing correct error when user is forbidden

* Removing unused interceptor

* Adding warning if they're editing a role with application privileges we
can't edit

* Fixing filter...

* Beginning to only update privileges when they need to be

* More tests

* One more test...

* Restricting the rbac application name that can be chosen

* Removing DEFAULT_RESOURCE check

* Supporting 1024 characters for the role name

* Renaming some variables, fixing issue with role w/ no kibana privileges

* Throwing decorated general error when appropriate

* Fixing test description

* Dedent does nothing...

* Renaming some functions

* Adding built-in types and alphabetizing (#19306)

* Filtering out non-default resource Kibana privileges (#19321)

* Removing unused file

* Adding kibana_rbac_dashboard_only_user to dashboard only mode roles (#19511)

* Adding create default roles test (#19505)

* RBAC - SecurityAuditLogger (#19571)

* Manually porting over the AuditLogger for use within the security audit
logger

* HasPrivileges now returns the user from the request

* Has privileges returns username from privilegeCheck

* Adding first eventType to the security audit logger

* Adding authorization success message

* Logging arguments when authorization success

* Fixing test description

* Logging args during audit failures

* RBAC Integration Tests (#19647)

* Porting over the saved objects tests, a bunch are failing, I believe
because security is preventing the requests

* Running saved objects tests with rbac and xsrf disabled

* Adding users

* BulkGet now tests under 3 users

* Adding create tests

* Adding delete tests

* Adding find tests

* Adding get tests

* Adding bulkGet forbidden tests

* Adding not a kibana user tests

* Update tests

* Renaming the actions/privileges to be closer to the functions on the
saved object client itself

* Cleaning up tests and removing without index tests

I'm considering the without index tests to be out of scope for the RBAC
API testing, and we already have unit coverage for these and integration
coverage via the OSS Saved Objects API tests.

* Fixing misspelling

* Fixing "conflicts" after merging master

* Removing some white-space differences

* Deleting files that got left behind in a merge

* Adding the RBAC API Integration Tests

* SavedObjectClient.find filtering (#19708)

* Adding ability to specify filters when calling the repository

* Implementing find filtering

* Revert "Adding ability to specify filters when calling the repository"

This reverts commit 9da30a1.

* Adding integration tests for find filtering

* Adding forbidden auth logging

* Adding asserts to make sure some audit log isn't used

* Adding more audit log specific tests

* Necessarly is not a work, unfortunately

* Fixing test

* More descriptive name than "result"

* Better unauthorized find message?

* Adding getTypes tests

* Trying to isolate cause of rbac test failures

* Adding .toLowerCase() to work around capitalization issue

* No longer exposing the auditLogger, we don't need it like that right now

* Removing some unused code

* Removing defaultSettings from test that doesn't utilize them

* Fixing misspelling

* Don't need an explicit login privilege when we have them all

* Removing unused code, fixing misspelling, adding comment

* Putting a file back

* No longer creating the roles on start-up (#19799)

* Removing kibana_rbac_dashboard_only_user from dashboard only role
defaults

* Fixing small issue with editing Kibana privileges

* [RBAC Phase 1] - Update application privileges when XPack license changes (#19839)

* Adding start to supporting basic license and switching to plat/gold

* Initialize application privilages on XPack license change

* restore mirror_status_and_initialize

* additional tests and peer review updates

* Introducing watchStatusAndLicenseToInitialize

* Adding some tests

* One more test

* Even better tests

* Removing unused mirrorStatusAndInitialize

* Throwing an error if the wrong status function is called

* RBAC Legacy Fallback (#19818)

* Basic implementation, rather sloppy

* Cleaning stuff up a bit

* Beginning to write tests, going to refactor how we build the privileges

* Making the buildPrivilegesMap no longer return application name as the
main key

* Using real privileges since we need to use them for the legacy fallback

* Adding more tests

* Fixing spelling

* Fixing test description

* Fixing comment description

* Adding similar line breaks in the has privilege calls

* No more settings

* No more rbac enabled setting, we just do RBAC

* Using describe to cleanup the test cases

* Logging deprecations when using the legacy fallback

* Cleaning up a bit...

* Using the privilegeMap for the legacy fallback tests

* Now with even less duplication

* Removing stray `rbacEnabled` from angularjs

* Fixing checkLicenses tests since we added RBAC

* [Flaky Test] - wait for page load to complete (#19895)

@kobelb this seems unrelated to our RBAC Phase 1 work, but I was able to consistently reproduce this on my machine.

* [Flaky Test] Fixes flaky role test (#19899)

Here's a fix for the latest flaky test @kobelb

* Now with even easier repository access

* Sample was including login/version privileges, which was occasionally (#19915)

causing issues that were really hard to replicate

* Dynamic types (#19925)

No more hard-coded types! This will make it so that plugins that register their own mappings just transparently work.

* start to address feedback

* Fix RBAC Phase 1 merge from master (#20226)

This updates RBAC Phase 1 to work against the latest master. Specifically:
1. Removes `xpack_main`'s `registerLicenseChangeCallback`, which we introduced in `security-app-privs`, in favor of `onLicenseInfoChange`, which was recently added to master
2. Updated `x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js` to be compliant with rxjs v6

* Retrying initialize 20 times with a scaling backoff (#20297)

* Retrying initialize 20 times with a scaling backoff

* Logging error when we are registering the privileges

* Alternate legacy fallback (#20322)

* Beginning to use alternate callWithRequest fallback

* Only use legacy fallback when user has "some" privileges on index

* Logging useLegacyFallback when there's an authorization failure

* Adding tests, logging failure during find no types fallback

* Switching to using an enum instead of success/useLegacyFallback

* Using _execute to share some of the structure

* Moving comment to where it belongs

* No longer audit logging when we use the legacy fallback

* Setting the status to red on the first error then continually (#20343)

initializing

* Renaming get*Privilege to get*Action

* Adding "instance" to alert about other application privileges

* Revising some of the naming for the edit roles screen

* One more edit role variable renamed

* hasPrivileges is now checkPrivileges

* Revising check_license tests

* Adding 2 more privileges tests

* Moving the other _find method to be near his friend

* Spelling "returning" correctly, whoops

* Adding Privileges tests

* tests for Elasticsearch's privileges APIs

* Switching the hard-coded resource from 'default' to *

* Throw error before we  execute a POST privilege call that won't work

* Resolving issue when initially registering privileges

* Logging legacy fallback deprecation warning on login (#20493)

* Logging legacy fallback deprecation on login

* Consolidation the privileges/authorization folder

* Exposing rudimentary authorization service and fixing authenticate tests

* Moving authorization services configuration to initAuthorization

* Adding "actions" service exposed by the authorization

* Fixing misspelling

* Removing invalid and unused exports

* Adding note about only adding privileges

* Calling it initAuthorizationService

* Throwing explicit validation  error in actions.getSavedObjectAction

* Deep freezing authorization service

* Adding deepFreeze tests

* Checking privileges in one call and cleaning up tests

* Deriving application from Kibana index (#20614)

* Specifying the application on the "authorization service"

* Moving watchStatusAndLicenseToInitialize to be below initAuthorizationService

* Using short-hand propery assignment

* Validate ES has_privileges response before trusting it (#20682)

* validate elasticsearch has_privileges response before trusting it

* address feedback

* Removing unused setting

* Public Role APIs (#20732)

* Beginning to work on external role management APIs

* Refactoring GET tests and adding more permutations

* Adding test for excluding other resources

* Adding get role tests

* Splitting out the endpoints, or else it's gonna get overwhelming

* Splitting out the post and delete actions

* Beginning to work on POST and the tests

* Posting the updated role

* Adding update tests

* Modifying the UI to use the new public APIs

* Removing internal roles API

* Moving the rbac api integration setup tests to use the public role apis

* Testing field_security and query

* Adding create role tests

* We can't update the transient_metadata...

* Removing debugger

* Update and delete tests

* Returning a 204 when POSTing a Role.

* Switching POST to PUT and roles to role

* We don't need the rbacApplication client-side anymore

* Adding delete route tests

* Using not found instead of not acceptable, as that's more likely

* Only allowing us to PUT known Kibana privileges

* Removing transient_metadata

* Removing one letter variable names

* Using PUT instead of POST when saving roles

* Fixing broken tests

* Adding setting to allow the user to turn off the legacy fallback (#20766)

* Pulling the version from the kibana server

* Deleting unused file

* Add API integration tests for roles with index and app privileges (#21033)

* Rbac phase1 functional UI tests (#20949)

* rbac functional tests

*  changes to the test file

* RBAC_functional test

*  incorporating review feedback

* slight modification to the addPriv() to cover all tests

* removed the @ in secure roles and perm file in the describe block  and made it look more relevant

* Fixing role management API from users

* Set a timeout when we try/catch a find, so it doesn't pause a long time

* Changing the way we detect if a user is reserved for the ftr

* Skipping flaky test
kobelb added a commit to kobelb/kibana that referenced this pull request Jul 24, 2018
* partial implementation for OLS Phase 1

* Allow Saved Objects Client to be wrapped

* Add placeholder "kibana.namespace" configuration property

* revert changes to saved objects client

* Remove circular dependency

* Removing namespace setting, we're using xpack.security.rbac.application

* Adding config.getDefault

* Expose SavedObjectsClientProvider on the server for easy plugin consumption

* migrate x-pack changes into kibana

* Beginning to use the ES APIs to insert/check privileges (elastic#18645)

* Beginning to use the ES APIs to insert/check privileges

* Removing todo comment, I think we're good with the current check

* Adding ability to edit kibana application privileges

* Introducing DEFAULT_RESOURCE constant

* Removing unused arguments when performing saved objects auth check

* Performing bulkCreate auth more efficiently

* Throwing error in SavedObjectClient.find if type isn't provided

* Fixing Reporting and removing errant console.log

* Introducing a separate hasPrivileges "service"

* Adding tests and fleshing out the has privileges "service"

* Fixing error message

* You can now edit whatever roles you want

* We're gonna throw the find error in another PR

* Changing conflicting version detection to work when user has no
application privileges

* Throwing correct error when user is forbidden

* Removing unused interceptor

* Adding warning if they're editing a role with application privileges we
can't edit

* Fixing filter...

* Beginning to only update privileges when they need to be

* More tests

* One more test...

* Restricting the rbac application name that can be chosen

* Removing DEFAULT_RESOURCE check

* Supporting 1024 characters for the role name

* Renaming some variables, fixing issue with role w/ no kibana privileges

* Throwing decorated general error when appropriate

* Fixing test description

* Dedent does nothing...

* Renaming some functions

* Adding built-in types and alphabetizing (elastic#19306)

* Filtering out non-default resource Kibana privileges (elastic#19321)

* Removing unused file

* Adding kibana_rbac_dashboard_only_user to dashboard only mode roles (elastic#19511)

* Adding create default roles test (elastic#19505)

* RBAC - SecurityAuditLogger (elastic#19571)

* Manually porting over the AuditLogger for use within the security audit
logger

* HasPrivileges now returns the user from the request

* Has privileges returns username from privilegeCheck

* Adding first eventType to the security audit logger

* Adding authorization success message

* Logging arguments when authorization success

* Fixing test description

* Logging args during audit failures

* RBAC Integration Tests (elastic#19647)

* Porting over the saved objects tests, a bunch are failing, I believe
because security is preventing the requests

* Running saved objects tests with rbac and xsrf disabled

* Adding users

* BulkGet now tests under 3 users

* Adding create tests

* Adding delete tests

* Adding find tests

* Adding get tests

* Adding bulkGet forbidden tests

* Adding not a kibana user tests

* Update tests

* Renaming the actions/privileges to be closer to the functions on the
saved object client itself

* Cleaning up tests and removing without index tests

I'm considering the without index tests to be out of scope for the RBAC
API testing, and we already have unit coverage for these and integration
coverage via the OSS Saved Objects API tests.

* Fixing misspelling

* Fixing "conflicts" after merging master

* Removing some white-space differences

* Deleting files that got left behind in a merge

* Adding the RBAC API Integration Tests

* SavedObjectClient.find filtering (elastic#19708)

* Adding ability to specify filters when calling the repository

* Implementing find filtering

* Revert "Adding ability to specify filters when calling the repository"

This reverts commit 9da30a1.

* Adding integration tests for find filtering

* Adding forbidden auth logging

* Adding asserts to make sure some audit log isn't used

* Adding more audit log specific tests

* Necessarly is not a work, unfortunately

* Fixing test

* More descriptive name than "result"

* Better unauthorized find message?

* Adding getTypes tests

* Trying to isolate cause of rbac test failures

* Adding .toLowerCase() to work around capitalization issue

* No longer exposing the auditLogger, we don't need it like that right now

* Removing some unused code

* Removing defaultSettings from test that doesn't utilize them

* Fixing misspelling

* Don't need an explicit login privilege when we have them all

* Removing unused code, fixing misspelling, adding comment

* Putting a file back

* No longer creating the roles on start-up (elastic#19799)

* Removing kibana_rbac_dashboard_only_user from dashboard only role
defaults

* Fixing small issue with editing Kibana privileges

* [RBAC Phase 1] - Update application privileges when XPack license changes (elastic#19839)

* Adding start to supporting basic license and switching to plat/gold

* Initialize application privilages on XPack license change

* restore mirror_status_and_initialize

* additional tests and peer review updates

* Introducing watchStatusAndLicenseToInitialize

* Adding some tests

* One more test

* Even better tests

* Removing unused mirrorStatusAndInitialize

* Throwing an error if the wrong status function is called

* RBAC Legacy Fallback (elastic#19818)

* Basic implementation, rather sloppy

* Cleaning stuff up a bit

* Beginning to write tests, going to refactor how we build the privileges

* Making the buildPrivilegesMap no longer return application name as the
main key

* Using real privileges since we need to use them for the legacy fallback

* Adding more tests

* Fixing spelling

* Fixing test description

* Fixing comment description

* Adding similar line breaks in the has privilege calls

* No more settings

* No more rbac enabled setting, we just do RBAC

* Using describe to cleanup the test cases

* Logging deprecations when using the legacy fallback

* Cleaning up a bit...

* Using the privilegeMap for the legacy fallback tests

* Now with even less duplication

* Removing stray `rbacEnabled` from angularjs

* Fixing checkLicenses tests since we added RBAC

* [Flaky Test] - wait for page load to complete (elastic#19895)

@kobelb this seems unrelated to our RBAC Phase 1 work, but I was able to consistently reproduce this on my machine.

* [Flaky Test] Fixes flaky role test (elastic#19899)

Here's a fix for the latest flaky test @kobelb

* Now with even easier repository access

* Sample was including login/version privileges, which was occasionally (elastic#19915)

causing issues that were really hard to replicate

* Dynamic types (elastic#19925)

No more hard-coded types! This will make it so that plugins that register their own mappings just transparently work.

* start to address feedback

* Fix RBAC Phase 1 merge from master (elastic#20226)

This updates RBAC Phase 1 to work against the latest master. Specifically:
1. Removes `xpack_main`'s `registerLicenseChangeCallback`, which we introduced in `security-app-privs`, in favor of `onLicenseInfoChange`, which was recently added to master
2. Updated `x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js` to be compliant with rxjs v6

* Retrying initialize 20 times with a scaling backoff (elastic#20297)

* Retrying initialize 20 times with a scaling backoff

* Logging error when we are registering the privileges

* Alternate legacy fallback (elastic#20322)

* Beginning to use alternate callWithRequest fallback

* Only use legacy fallback when user has "some" privileges on index

* Logging useLegacyFallback when there's an authorization failure

* Adding tests, logging failure during find no types fallback

* Switching to using an enum instead of success/useLegacyFallback

* Using _execute to share some of the structure

* Moving comment to where it belongs

* No longer audit logging when we use the legacy fallback

* Setting the status to red on the first error then continually (elastic#20343)

initializing

* Renaming get*Privilege to get*Action

* Adding "instance" to alert about other application privileges

* Revising some of the naming for the edit roles screen

* One more edit role variable renamed

* hasPrivileges is now checkPrivileges

* Revising check_license tests

* Adding 2 more privileges tests

* Moving the other _find method to be near his friend

* Spelling "returning" correctly, whoops

* Adding Privileges tests

* tests for Elasticsearch's privileges APIs

* Switching the hard-coded resource from 'default' to *

* Throw error before we  execute a POST privilege call that won't work

* Resolving issue when initially registering privileges

* Logging legacy fallback deprecation warning on login (elastic#20493)

* Logging legacy fallback deprecation on login

* Consolidation the privileges/authorization folder

* Exposing rudimentary authorization service and fixing authenticate tests

* Moving authorization services configuration to initAuthorization

* Adding "actions" service exposed by the authorization

* Fixing misspelling

* Removing invalid and unused exports

* Adding note about only adding privileges

* Calling it initAuthorizationService

* Throwing explicit validation  error in actions.getSavedObjectAction

* Deep freezing authorization service

* Adding deepFreeze tests

* Checking privileges in one call and cleaning up tests

* Deriving application from Kibana index (elastic#20614)

* Specifying the application on the "authorization service"

* Moving watchStatusAndLicenseToInitialize to be below initAuthorizationService

* Using short-hand propery assignment

* Validate ES has_privileges response before trusting it (elastic#20682)

* validate elasticsearch has_privileges response before trusting it

* address feedback

* Removing unused setting

* Public Role APIs (elastic#20732)

* Beginning to work on external role management APIs

* Refactoring GET tests and adding more permutations

* Adding test for excluding other resources

* Adding get role tests

* Splitting out the endpoints, or else it's gonna get overwhelming

* Splitting out the post and delete actions

* Beginning to work on POST and the tests

* Posting the updated role

* Adding update tests

* Modifying the UI to use the new public APIs

* Removing internal roles API

* Moving the rbac api integration setup tests to use the public role apis

* Testing field_security and query

* Adding create role tests

* We can't update the transient_metadata...

* Removing debugger

* Update and delete tests

* Returning a 204 when POSTing a Role.

* Switching POST to PUT and roles to role

* We don't need the rbacApplication client-side anymore

* Adding delete route tests

* Using not found instead of not acceptable, as that's more likely

* Only allowing us to PUT known Kibana privileges

* Removing transient_metadata

* Removing one letter variable names

* Using PUT instead of POST when saving roles

* Fixing broken tests

* Adding setting to allow the user to turn off the legacy fallback (elastic#20766)

* Pulling the version from the kibana server

* Deleting unused file

* Add API integration tests for roles with index and app privileges (elastic#21033)

* Rbac phase1 functional UI tests (elastic#20949)

* rbac functional tests

*  changes to the test file

* RBAC_functional test

*  incorporating review feedback

* slight modification to the addPriv() to cover all tests

* removed the @ in secure roles and perm file in the describe block  and made it look more relevant

* Fixing role management API from users

* Set a timeout when we try/catch a find, so it doesn't pause a long time

* Changing the way we detect if a user is reserved for the ftr

* Skipping flaky test
kobelb added a commit that referenced this pull request Jul 24, 2018
* partial implementation for OLS Phase 1

* Allow Saved Objects Client to be wrapped

* Add placeholder "kibana.namespace" configuration property

* revert changes to saved objects client

* Remove circular dependency

* Removing namespace setting, we're using xpack.security.rbac.application

* Adding config.getDefault

* Expose SavedObjectsClientProvider on the server for easy plugin consumption

* migrate x-pack changes into kibana

* Beginning to use the ES APIs to insert/check privileges (#18645)

* Beginning to use the ES APIs to insert/check privileges

* Removing todo comment, I think we're good with the current check

* Adding ability to edit kibana application privileges

* Introducing DEFAULT_RESOURCE constant

* Removing unused arguments when performing saved objects auth check

* Performing bulkCreate auth more efficiently

* Throwing error in SavedObjectClient.find if type isn't provided

* Fixing Reporting and removing errant console.log

* Introducing a separate hasPrivileges "service"

* Adding tests and fleshing out the has privileges "service"

* Fixing error message

* You can now edit whatever roles you want

* We're gonna throw the find error in another PR

* Changing conflicting version detection to work when user has no
application privileges

* Throwing correct error when user is forbidden

* Removing unused interceptor

* Adding warning if they're editing a role with application privileges we
can't edit

* Fixing filter...

* Beginning to only update privileges when they need to be

* More tests

* One more test...

* Restricting the rbac application name that can be chosen

* Removing DEFAULT_RESOURCE check

* Supporting 1024 characters for the role name

* Renaming some variables, fixing issue with role w/ no kibana privileges

* Throwing decorated general error when appropriate

* Fixing test description

* Dedent does nothing...

* Renaming some functions

* Adding built-in types and alphabetizing (#19306)

* Filtering out non-default resource Kibana privileges (#19321)

* Removing unused file

* Adding kibana_rbac_dashboard_only_user to dashboard only mode roles (#19511)

* Adding create default roles test (#19505)

* RBAC - SecurityAuditLogger (#19571)

* Manually porting over the AuditLogger for use within the security audit
logger

* HasPrivileges now returns the user from the request

* Has privileges returns username from privilegeCheck

* Adding first eventType to the security audit logger

* Adding authorization success message

* Logging arguments when authorization success

* Fixing test description

* Logging args during audit failures

* RBAC Integration Tests (#19647)

* Porting over the saved objects tests, a bunch are failing, I believe
because security is preventing the requests

* Running saved objects tests with rbac and xsrf disabled

* Adding users

* BulkGet now tests under 3 users

* Adding create tests

* Adding delete tests

* Adding find tests

* Adding get tests

* Adding bulkGet forbidden tests

* Adding not a kibana user tests

* Update tests

* Renaming the actions/privileges to be closer to the functions on the
saved object client itself

* Cleaning up tests and removing without index tests

I'm considering the without index tests to be out of scope for the RBAC
API testing, and we already have unit coverage for these and integration
coverage via the OSS Saved Objects API tests.

* Fixing misspelling

* Fixing "conflicts" after merging master

* Removing some white-space differences

* Deleting files that got left behind in a merge

* Adding the RBAC API Integration Tests

* SavedObjectClient.find filtering (#19708)

* Adding ability to specify filters when calling the repository

* Implementing find filtering

* Revert "Adding ability to specify filters when calling the repository"

This reverts commit 9da30a1.

* Adding integration tests for find filtering

* Adding forbidden auth logging

* Adding asserts to make sure some audit log isn't used

* Adding more audit log specific tests

* Necessarly is not a work, unfortunately

* Fixing test

* More descriptive name than "result"

* Better unauthorized find message?

* Adding getTypes tests

* Trying to isolate cause of rbac test failures

* Adding .toLowerCase() to work around capitalization issue

* No longer exposing the auditLogger, we don't need it like that right now

* Removing some unused code

* Removing defaultSettings from test that doesn't utilize them

* Fixing misspelling

* Don't need an explicit login privilege when we have them all

* Removing unused code, fixing misspelling, adding comment

* Putting a file back

* No longer creating the roles on start-up (#19799)

* Removing kibana_rbac_dashboard_only_user from dashboard only role
defaults

* Fixing small issue with editing Kibana privileges

* [RBAC Phase 1] - Update application privileges when XPack license changes (#19839)

* Adding start to supporting basic license and switching to plat/gold

* Initialize application privilages on XPack license change

* restore mirror_status_and_initialize

* additional tests and peer review updates

* Introducing watchStatusAndLicenseToInitialize

* Adding some tests

* One more test

* Even better tests

* Removing unused mirrorStatusAndInitialize

* Throwing an error if the wrong status function is called

* RBAC Legacy Fallback (#19818)

* Basic implementation, rather sloppy

* Cleaning stuff up a bit

* Beginning to write tests, going to refactor how we build the privileges

* Making the buildPrivilegesMap no longer return application name as the
main key

* Using real privileges since we need to use them for the legacy fallback

* Adding more tests

* Fixing spelling

* Fixing test description

* Fixing comment description

* Adding similar line breaks in the has privilege calls

* No more settings

* No more rbac enabled setting, we just do RBAC

* Using describe to cleanup the test cases

* Logging deprecations when using the legacy fallback

* Cleaning up a bit...

* Using the privilegeMap for the legacy fallback tests

* Now with even less duplication

* Removing stray `rbacEnabled` from angularjs

* Fixing checkLicenses tests since we added RBAC

* [Flaky Test] - wait for page load to complete (#19895)

@kobelb this seems unrelated to our RBAC Phase 1 work, but I was able to consistently reproduce this on my machine.

* [Flaky Test] Fixes flaky role test (#19899)

Here's a fix for the latest flaky test @kobelb

* Now with even easier repository access

* Sample was including login/version privileges, which was occasionally (#19915)

causing issues that were really hard to replicate

* Dynamic types (#19925)

No more hard-coded types! This will make it so that plugins that register their own mappings just transparently work.

* start to address feedback

* Fix RBAC Phase 1 merge from master (#20226)

This updates RBAC Phase 1 to work against the latest master. Specifically:
1. Removes `xpack_main`'s `registerLicenseChangeCallback`, which we introduced in `security-app-privs`, in favor of `onLicenseInfoChange`, which was recently added to master
2. Updated `x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js` to be compliant with rxjs v6

* Retrying initialize 20 times with a scaling backoff (#20297)

* Retrying initialize 20 times with a scaling backoff

* Logging error when we are registering the privileges

* Alternate legacy fallback (#20322)

* Beginning to use alternate callWithRequest fallback

* Only use legacy fallback when user has "some" privileges on index

* Logging useLegacyFallback when there's an authorization failure

* Adding tests, logging failure during find no types fallback

* Switching to using an enum instead of success/useLegacyFallback

* Using _execute to share some of the structure

* Moving comment to where it belongs

* No longer audit logging when we use the legacy fallback

* Setting the status to red on the first error then continually (#20343)

initializing

* Renaming get*Privilege to get*Action

* Adding "instance" to alert about other application privileges

* Revising some of the naming for the edit roles screen

* One more edit role variable renamed

* hasPrivileges is now checkPrivileges

* Revising check_license tests

* Adding 2 more privileges tests

* Moving the other _find method to be near his friend

* Spelling "returning" correctly, whoops

* Adding Privileges tests

* tests for Elasticsearch's privileges APIs

* Switching the hard-coded resource from 'default' to *

* Throw error before we  execute a POST privilege call that won't work

* Resolving issue when initially registering privileges

* Logging legacy fallback deprecation warning on login (#20493)

* Logging legacy fallback deprecation on login

* Consolidation the privileges/authorization folder

* Exposing rudimentary authorization service and fixing authenticate tests

* Moving authorization services configuration to initAuthorization

* Adding "actions" service exposed by the authorization

* Fixing misspelling

* Removing invalid and unused exports

* Adding note about only adding privileges

* Calling it initAuthorizationService

* Throwing explicit validation  error in actions.getSavedObjectAction

* Deep freezing authorization service

* Adding deepFreeze tests

* Checking privileges in one call and cleaning up tests

* Deriving application from Kibana index (#20614)

* Specifying the application on the "authorization service"

* Moving watchStatusAndLicenseToInitialize to be below initAuthorizationService

* Using short-hand propery assignment

* Validate ES has_privileges response before trusting it (#20682)

* validate elasticsearch has_privileges response before trusting it

* address feedback

* Removing unused setting

* Public Role APIs (#20732)

* Beginning to work on external role management APIs

* Refactoring GET tests and adding more permutations

* Adding test for excluding other resources

* Adding get role tests

* Splitting out the endpoints, or else it's gonna get overwhelming

* Splitting out the post and delete actions

* Beginning to work on POST and the tests

* Posting the updated role

* Adding update tests

* Modifying the UI to use the new public APIs

* Removing internal roles API

* Moving the rbac api integration setup tests to use the public role apis

* Testing field_security and query

* Adding create role tests

* We can't update the transient_metadata...

* Removing debugger

* Update and delete tests

* Returning a 204 when POSTing a Role.

* Switching POST to PUT and roles to role

* We don't need the rbacApplication client-side anymore

* Adding delete route tests

* Using not found instead of not acceptable, as that's more likely

* Only allowing us to PUT known Kibana privileges

* Removing transient_metadata

* Removing one letter variable names

* Using PUT instead of POST when saving roles

* Fixing broken tests

* Adding setting to allow the user to turn off the legacy fallback (#20766)

* Pulling the version from the kibana server

* Deleting unused file

* Add API integration tests for roles with index and app privileges (#21033)

* Rbac phase1 functional UI tests (#20949)

* rbac functional tests

*  changes to the test file

* RBAC_functional test

*  incorporating review feedback

* slight modification to the addPriv() to cover all tests

* removed the @ in secure roles and perm file in the describe block  and made it look more relevant

* Fixing role management API from users

* Set a timeout when we try/catch a find, so it doesn't pause a long time

* Changing the way we detect if a user is reserved for the ftr

* Skipping flaky test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants