-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC Legacy Fallback #19818
RBAC Legacy Fallback #19818
Changes from 18 commits
7dc7349
7ce7de3
c2a67bb
329bfa4
30e91ea
7f93cfb
bfae62b
82f4c6b
f47804b
98223f2
516c037
3c6c061
10add22
b9ab949
0a541ab
5d73c1f
b253406
d96d007
45efe42
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,11 +6,87 @@ | |
|
||
import { getClient } from '../../../../../server/lib/get_client_shield'; | ||
import { DEFAULT_RESOURCE } from '../../../common/constants'; | ||
import { getVersionPrivilege, getLoginPrivilege } from '../privileges'; | ||
import { buildPrivilegeMap, getVersionPrivilege, getLoginPrivilege } from '../privileges'; | ||
|
||
const getMissingPrivileges = (resource, application, privilegeCheck) => { | ||
const privileges = privilegeCheck.application[application][resource]; | ||
return Object.keys(privileges).filter(key => privileges[key] === false); | ||
const hasApplicationPrivileges = async (callWithRequest, request, kibanaVersion, application, privileges) => { | ||
const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', { | ||
body: { | ||
applications: [{ | ||
application, | ||
resources: [DEFAULT_RESOURCE], | ||
privileges | ||
}] | ||
} | ||
}); | ||
|
||
const hasPrivileges = privilegeCheck.application[application][DEFAULT_RESOURCE]; | ||
|
||
// We include the login action in all privileges, so the existence of it and not the version privilege | ||
// lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't | ||
// know whether the user just wasn't authorized for this instance of Kibana in general | ||
if (!hasPrivileges[getVersionPrivilege(kibanaVersion)] && hasPrivileges[getLoginPrivilege()]) { | ||
throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.'); | ||
} | ||
|
||
return { | ||
username: privilegeCheck.username, | ||
hasAllRequested: privilegeCheck.has_all_requested, | ||
privileges: hasPrivileges | ||
}; | ||
}; | ||
|
||
const hasLegacyPrivileges = async (deprecationLogger, callWithRequest, request, kibanaVersion, application, kibanaIndex, privileges) => { | ||
const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', { | ||
body: { | ||
index: [{ | ||
names: [ kibanaIndex ], | ||
privileges: ['read', 'index'] | ||
}] | ||
} | ||
}); | ||
|
||
const createPrivileges = (cb) => { | ||
return privileges.reduce((acc, name) => { | ||
acc[name] = cb(name); | ||
return acc; | ||
}, {}); | ||
}; | ||
|
||
const logDeprecation = () => { | ||
deprecationLogger( | ||
`Relying on implicit privileges determined from the index privileges is deprecated and will be removed in the next major version` | ||
); | ||
}; | ||
|
||
// if they have the index privilege, then we grant them all actions | ||
if (privilegeCheck.index[kibanaIndex].index) { | ||
logDeprecation(); | ||
const implicitPrivileges = createPrivileges(() => true); | ||
return { | ||
username: privilegeCheck.username, | ||
hasAllRequested: true, | ||
privileges: implicitPrivileges | ||
}; | ||
} | ||
|
||
// if they have the read privilege, then we only grant them the read actions | ||
if (privilegeCheck.index[kibanaIndex].read) { | ||
logDeprecation(); | ||
const privilegeMap = buildPrivilegeMap(application, kibanaVersion); | ||
const implicitPrivileges = createPrivileges(name => privilegeMap.read.actions.includes(name)); | ||
|
||
return { | ||
username: privilegeCheck.username, | ||
hasAllRequested: Object.values(implicitPrivileges).every(x => x), | ||
privileges: implicitPrivileges, | ||
}; | ||
} | ||
|
||
return { | ||
username: privilegeCheck.username, | ||
hasAllRequested: false, | ||
privileges: createPrivileges(() => false) | ||
}; | ||
}; | ||
|
||
export function hasPrivilegesWithServer(server) { | ||
|
@@ -19,38 +95,44 @@ export function hasPrivilegesWithServer(server) { | |
const config = server.config(); | ||
const kibanaVersion = config.get('pkg.version'); | ||
const application = config.get('xpack.security.rbac.application'); | ||
const kibanaIndex = config.get('kibana.index'); | ||
const deprecationLogger = (msg) => server.log(['warning', 'deprecated', 'security'], msg); | ||
|
||
return function hasPrivilegesWithRequest(request) { | ||
return async function hasPrivileges(privileges) { | ||
|
||
const versionPrivilege = getVersionPrivilege(kibanaVersion); | ||
const loginPrivilege = getLoginPrivilege(); | ||
const versionPrivilege = getVersionPrivilege(kibanaVersion); | ||
|
||
const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', { | ||
body: { | ||
applications: [{ | ||
application, | ||
resources: [DEFAULT_RESOURCE], | ||
privileges: [versionPrivilege, loginPrivilege, ...privileges] | ||
}] | ||
} | ||
}); | ||
|
||
const success = privilegeCheck.has_all_requested; | ||
const missingPrivileges = getMissingPrivileges(DEFAULT_RESOURCE, application, privilegeCheck); | ||
|
||
// We include the login privilege on all privileges, so the existence of it and not the version privilege | ||
// lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't | ||
// know whether the user just wasn't authorized for this instance of Kibana in general | ||
if (missingPrivileges.includes(versionPrivilege) && !missingPrivileges.includes(loginPrivilege)) { | ||
throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.'); | ||
const allPrivileges = [versionPrivilege, loginPrivilege, ...privileges]; | ||
let privilegesCheck = await hasApplicationPrivileges( | ||
callWithRequest, | ||
request, | ||
kibanaVersion, | ||
application, | ||
allPrivileges | ||
); | ||
|
||
if (!privilegesCheck.privileges[loginPrivilege]) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I know this is still WIP, but I remember talking about adding a configuration option to disable the legacy fallback. Is that something we still want to add? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah, I'll work on getting one added |
||
privilegesCheck = await hasLegacyPrivileges( | ||
deprecationLogger, | ||
callWithRequest, | ||
request, | ||
kibanaVersion, | ||
application, | ||
kibanaIndex, | ||
allPrivileges | ||
); | ||
} | ||
|
||
const success = privilegesCheck.hasAllRequested; | ||
|
||
return { | ||
success, | ||
// We don't want to expose the version privilege to consumers, as it's an implementation detail only to detect version mismatch | ||
missing: missingPrivileges.filter(p => p !== versionPrivilege), | ||
username: privilegeCheck.username, | ||
missing: Object.keys(privilegesCheck.privileges) | ||
.filter(key => privilegesCheck.privileges[key] === false) | ||
.filter(p => p !== versionPrivilege), | ||
username: privilegesCheck.username, | ||
}; | ||
}; | ||
}; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for the huge diff, this was just removing this ^^ if check and the indentation change makes it look larger than it is.