Feature Controls - document limitations for kibana.defaultAppId and server.defaultRoute

[iainardo]

Edit by @legrego: Issue renamed to capture documentation updates. See comment below.

---

Kibana version:
7.3.0

Elasticsearch version:
7.3.0
Server OS version:
Centos 7.x

Browser version:
Google Chrome 75.0.3770.100 (Official Build) (64-bit)

Browser OS version:
Ubuntu 18.04 LTS

Original install method (e.g. download page, yum, from source, etc.):

Describe the bug:

• A Kibana user with Dashboard read (or none) dashboard privileges cannot login to Kibana. An error is continually displayed in the browser.

• A Kibana native user with a READONLY dashboard privileges role is being directed to app/kibana#/dashboard. Given the user is configured with readonly dashboard privileges they should really be directed to "app/kibana#/dashboards" ?

Steps to reproduce:

1. Create foo_readonly Kibana role (Management -> Roles)
   i) readonly index privileges to 'foo-*' indexes
   ii) for the foo space create a role with Read privilege access all space features (Discover, Visualise, Dashboard etc..)
2. Create a foo_user that uses the foo_readonly role create above (Management -> Users)
3. Logout as Kibana super user
4. Login to Kibana as foo_user
5. An error appears on the Kibana screen. The only way to get out of the continual Kibana login attempt loop is is to clear the browser session, as the error message suggests.

Expected behavior:

• Kibana user should login successfully and land on dashboards page.

Screenshots (if relevant):

• However user is redirected to app/kibana#/dashboard page (which they don't have permissions to access - as they have READONLY dashboard permissions)

Errors in browser console (if relevant):

Something went wrong
Try refreshing the page. If that doesn't work, go back to the previous page or clear your session data.

[$rootScope:infdig] 10 $digest() iterations reached. Aborting! Watchers fired in the last 5 iterations: [] https://errors.angularjs.org/1.7.9-local+sha.ca61b0e84/$rootScope/infdig?p0=10&p1=%5B%5D
Version: 7.3.0
Build: 25250
Error: [$rootScope:infdig] 10 $digest() iterations reached. Aborting!
Watchers fired in the last 5 iterations: []
https://errors.angularjs.org/1.7.9-local+sha.ca61b0e84/$rootScope/infdig?p0=10&p1=%5B%5D
    at https://xxxx/kibana/built_assets/dlls/vendors.bundle.dll.js:499:1181
    at Scope.$digest (https://xxxx/kibana/built_assets/dlls/vendors.bundle.dll.js:499:211677)
    at Scope.$apply (https://xxxx/kibana/built_assets/dlls/vendors.bundle.dll.js:499:213504)
    at bootstrapApply (https://xxxx/kibana/built_assets/dlls/vendors.bundle.dll.js:499:17480)
    at Object.invoke (https://xxxx/kibana/built_assets/dlls/vendors.bundle.dll.js:499:53311)
    at doBootstrap (https://xxxx/kibana/built_assets/dlls/vendors.bundle.dll.js:499:17359)
    at Object.bootstrap (https://xxxx/kibana/built_assets/dlls/vendors.bundle.dll.js:499:17868)
    at Object.chrome.bootstrap (https://xxxx/kibana/bundles/commons.bundle.js:3:1846908)
    at LegacyPlatformService.start (https://xxxx/kibana/bundles/commons.bundle.js:3:1842907)
    at CoreSystem._callee2$ (https://xxxx/kibana/bundles/commons.bundle.js:3:1839477)
Note: I've redacted the host info above

Provide logs and/or server output (if relevant):

• Apart from the browser console error there is no evident output in kibana/elasticsearch verbose logs

Any additional context:

• It seems on login that the user is redirected to ../app/kibana#/dashboard page (which it seems they shouldn't have permissions to access - as they have READONLY dashboard permissions) ?
• While the Kibana error is being reported, if I hack the URL and change dashboard to dashboards login is successful and dashboards are displayed as expected.
• Given the user has readonly dashboard privileges they should really be directed to "app/kibana#/dashboards" ?
• If the READ dashboard privilege to ALL on the role, the problem goes away. If you revert the role space dashboard privileges back to READ from ALL for dashboard privilege, the error occurs again.
• See https://discuss.elastic.co/t/kibana-space-role-configuration-please-help/200273 for further information
• Error also occurs if NONE is used as the privilege for Dashboard, so it would seem a user with an association to such a role cannot login.

[legrego]

@iainardo, are you by chance using either of the following kibana.yml settings?

• kibana.defaultAppId
• server.defaultRoute

If so, these settings are not (yet) capable of reading the current user's privileges, and they'll blindly redirect all users to the configured app / endpoint after logging in.

[elasticmachine]

Pinging @elastic/kibana-security

[iainardo]

Hi @legrego, thanks for the reply and your help on this!

Yes indeed, I'm using kibana.defaultAppId in kibana.yml but not server.defaultRoute

It seems the issue I reported can be resolved (partially) by updating of kibana.yml either from:
kibana.defaultAppId: "dashboard"
to
kibana.defaultAppId: "dashboards"

For scenarios where some users shouldn't have dashboard space privileges, I guess this configuration should be removed altogether from kibana.yml (or some other common landing page should be selected.)

It would be useful if this information could make it's way into docs for others in case they come across the same issue.

[legrego]

For scenarios where some users shouldn't have dashboard space privileges, I guess this configuration should be removed altogether from kibana.yml (or some other common landing page should be selected.)

Yeah, the default landing page of home is the current "safe" path. All Kibana users regardless of space/feature privileges will be able to access this home page.

We are working on adding support for space-specific default routes. This doesn't directly solve your problem, but depending on your space/user configuration, it may alleviate it somewhat.

It would be useful if this information could make it's way into docs for others in case they come across the same issue.

I agree, thanks for raising this issue. I'm going to undertake an effort in the near future to improve docs for this scenario, and a couple of other cases that have come up recently around spaces and security:

• Improve documentation for space-aware dashboard only mode #25721
• New custom space failing to pull privileges to view and run reports against indices #46180

[iainardo]

Great thanks @legrego 👍

[legrego]

@iainardo if it's alright with you, can I rename this issue to track the documentation improvements for this scenario?

[iainardo]

@legrego - sure absolutely! If I can help let me know.

[legrego]

Thank you for contributing to this issue, however, we are closing this issue due to inactivity as part of a backlog grooming effort. If you believe this feature/bug should still be considered, please reopen with a comment.