elastic · kobelb · Jun 13, 2018 · Jun 11, 2018 · Jun 11, 2018 · Jun 12, 2018
diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
@@ -6,11 +6,78 @@
 
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
-import { getVersionPrivilege, getLoginPrivilege } from '../privileges';
+import { buildPrivilegeMap, getVersionPrivilege, getLoginPrivilege } from '../privileges';
 
-const getMissingPrivileges = (resource, application, privilegeCheck) => {
-  const privileges = privilegeCheck.application[application][resource];
-  return Object.keys(privileges).filter(key => privileges[key] === false);
+const hasApplicationPrivileges = async (callWithRequest, request, kibanaVersion, application, privileges) => {
+  const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
+    body: {
+      applications: [{
+        application,
+        resources: [DEFAULT_RESOURCE],
+        privileges
+      }]
+    }
+  });
+
+  const hasPrivileges = privilegeCheck.application[application][DEFAULT_RESOURCE];
+
+  // We include the login privilege on all privileges, so the existence of it and not the version privilege
+  // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't
+  // know whether the user just wasn't authorized for this instance of Kibana in general
+  if (!hasPrivileges[getVersionPrivilege(kibanaVersion)] && hasPrivileges[getLoginPrivilege()]) {
+    throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
+  }
+
+  return {
+    username: privilegeCheck.username,
+    hasAllRequested: privilegeCheck.has_all_requested,
+    privileges: hasPrivileges
+  };
+};
+
+const hasLegacyPrivileges = async (callWithRequest, request, kibanaVersion, application, kibanaIndex, privileges) => {
+  const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
+    body: {
+      index: [{
+        names: [ kibanaIndex ],
+        privileges: ['read', 'index']
+      }]
+    }
+  });
+
+  if (privilegeCheck.index[kibanaIndex].index) {
+    return {
+      username: privilegeCheck.username,
+      hasAllRequested: true,
+      privileges: privileges.reduce((acc, name) => {
+        acc[name] = true;
+        return acc;
+      }, {})
+    };
+  }
+
+  if (privilegeCheck.index[kibanaIndex].read) {
+    const privilegeMap = buildPrivilegeMap(application, kibanaVersion);
+    const implicitPrivileges = privileges.reduce((acc, name) => {
+      acc[name] = privilegeMap.read.actions.includes(name);
+      return acc;
+    }, {});
+
+    return {
+      username: privilegeCheck.username,
+      hasAllRequested: Object.values(implicitPrivileges).every(x => x),
+      privileges: implicitPrivileges,
+    };
+  }
+
+  return {
+    username: privilegeCheck.username,
+    hasAllRequested: false,
+    privileges: privileges.reduce((acc, name) => {
+      acc[name] = false;
+      return acc;
+    }, {})
+  };
 };
 
 export function hasPrivilegesWithServer(server) {
@@ -19,38 +86,36 @@ export function hasPrivilegesWithServer(server) {
   const config = server.config();
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
+  const kibanaIndex = config.get('kibana.index');
 
   return function hasPrivilegesWithRequest(request) {
     return async function hasPrivileges(privileges) {
-
-      const versionPrivilege = getVersionPrivilege(kibanaVersion);
       const loginPrivilege = getLoginPrivilege();
+      const versionPrivilege = getVersionPrivilege(kibanaVersion);
 
-      const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
-        body: {
-          applications: [{
-            application,
-            resources: [DEFAULT_RESOURCE],
-            privileges: [versionPrivilege, loginPrivilege, ...privileges]
-          }]
-        }
-      });
-
-      const success = privilegeCheck.has_all_requested;
-      const missingPrivileges = getMissingPrivileges(DEFAULT_RESOURCE, application, privilegeCheck);
-
-      // We include the login privilege on all privileges, so the existence of it and not the version privilege
-      // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't
-      // know whether the user just wasn't authorized for this instance of Kibana in general
-      if (missingPrivileges.includes(versionPrivilege) && !missingPrivileges.includes(loginPrivilege)) {
-        throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
+      const allPrivileges = [versionPrivilege, loginPrivilege, ...privileges];
+      let privilegesCheck = await hasApplicationPrivileges(callWithRequest, request, kibanaVersion, application, allPrivileges);
+
+      if (!privilegesCheck.privileges[loginPrivilege]) {
+        privilegesCheck = await hasLegacyPrivileges(
+          callWithRequest,
+          request,
+          kibanaVersion,
+          application,
+          kibanaIndex,
+          allPrivileges
+        );
       }
 
+      const success = privilegesCheck.hasAllRequested;
+
       return {
         success,
         // We don't want to expose the version privilege to consumers, as it's an implementation detail only to detect version mismatch
-        missing: missingPrivileges.filter(p => p !== versionPrivilege),
-        username: privilegeCheck.username,
+        missing: Object.keys(privilegesCheck.privileges)
+          .filter(key => privilegesCheck.privileges[key] === false)
+          .filter(p => p !== versionPrivilege),
+        username: privilegesCheck.username,
       };
     };
   };