RBAC Phase 1 #19710
Closed
RBAC Phase 1 #19710
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Beginning to use the ES APIs to insert/check privileges * Removing todo comment, I think we're good with the current check * Adding ability to edit kibana application privileges * Introducing DEFAULT_RESOURCE constant * Removing unused arguments when performing saved objects auth check * Performing bulkCreate auth more efficiently * Throwing error in SavedObjectClient.find if type isn't provided * Fixing Reporting and removing errant console.log * Introducing a separate hasPrivileges "service" * Adding tests and fleshing out the has privileges "service" * Fixing error message * You can now edit whatever roles you want * We're gonna throw the find error in another PR * Changing conflicting version detection to work when user has no application privileges * Throwing correct error when user is forbidden * Removing unused interceptor * Adding warning if they're editing a role with application privileges we can't edit * Fixing filter... * Beginning to only update privileges when they need to be * More tests * One more test... * Restricting the rbac application name that can be chosen * Removing DEFAULT_RESOURCE check * Supporting 1024 characters for the role name * Renaming some variables, fixing issue with role w/ no kibana privileges * Throwing decorated general error when appropriate * Fixing test description * Dedent does nothing... * Renaming some functions
* Manually porting over the AuditLogger for use within the security audit logger * HasPrivileges now returns the user from the request * Has privileges returns username from privilegeCheck * Adding first eventType to the security audit logger * Adding authorization success message * Logging arguments when authorization success * Fixing test description * Logging args during audit failures
* Porting over the saved objects tests, a bunch are failing, I believe because security is preventing the requests * Running saved objects tests with rbac and xsrf disabled * Adding users * BulkGet now tests under 3 users * Adding create tests * Adding delete tests * Adding find tests * Adding get tests * Adding bulkGet forbidden tests * Adding not a kibana user tests * Update tests * Renaming the actions/privileges to be closer to the functions on the saved object client itself * Cleaning up tests and removing without index tests I'm considering the without index tests to be out of scope for the RBAC API testing, and we already have unit coverage for these and integration coverage via the OSS Saved Objects API tests. * Fixing misspelling
💔 Build Failed |
* Adding ability to specify filters when calling the repository * Implementing find filtering * Revert "Adding ability to specify filters when calling the repository" This reverts commit 9da30a1. * Adding integration tests for find filtering * Adding forbidden auth logging * Adding asserts to make sure some audit log isn't used * Adding more audit log specific tests * Necessarly is not a work, unfortunately * Fixing test * More descriptive name than "result" * Better unauthorized find message? * Adding getTypes tests
|
Closing out to rename the branch to get CI to run against ES changes |
💔 Build Failed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This needs to be run against https://github.com/elastic/elasticsearch/tree/security-app-privs and for the time being the
elasticsearch.usernameshould beelasticuntil that PR merges and we make it so that the built-in Kibana system role can manage security for creating the privileges and roles on start-up.Resolves #18178