Feature Controls - Reserved Role Apps

test/functional/page_objects/common_page.js

@@ -357,6 +357,11 @@ export function CommonPageProvider({ getService, getPageObjects }) {
         }
       }
     }
+
+    async getBodyText() {
+      const el = await find.byCssSelector('body>pre');
+      return await el.getVisibleText();
+    }
   }
 
   return new CommonPage();

test/functional/page_objects/error_page.js

@@ -18,13 +18,22 @@
  */
 import expect from '@kbn/expect';
 
-export function ErrorPageProvider({ getService }) {
-  const find = getService('find');
+export function ErrorPageProvider({ getPageObjects }) {
+  const PageObjects = getPageObjects(['common']);
 
   class ErrorPage {
+    async expectForbidden() {
+      const messageText = await PageObjects.common.getBodyText();
+      expect(messageText).to.eql(
+        JSON.stringify({
+          statusCode: 403,
+          error: 'Forbidden',
+          message: 'Forbidden'
+        })
+      );
+    }
     async expectNotFound() {
-      const el = await find.byCssSelector('body>pre');
-      const messageText = await el.getVisibleText();
+      const messageText = await PageObjects.common.getBodyText();
       expect(messageText).to.eql(
         JSON.stringify({
           statusCode: 404,

test/scripts/jenkins_xpack_ci_group.sh

@@ -36,6 +36,6 @@ tar -xzf "$linuxBuild" -C "$installDir" --strip=1
 
 echo " -> Running functional and api tests"
 cd "$XPACK_DIR"
-node scripts/functional_tests --debug --bail --kibana-install-dir "$installDir" --include-tag "ciGroup$CI_GROUP"
+node scripts/functional_tests --debug --bail --kibana-install-dir "$installDir" --include-tag "ciGroup$CI_GROUP" --esFrom "source"
 echo ""
 echo ""

x-pack/plugins/ml/index.js

@@ -88,20 +88,19 @@ export const ml = (kibana) => {
         navLinkId: 'ml',
         app: ['ml', 'kibana'],
         catalogue: ['ml'],
-        privileges: {
-          all: {
-            catalogue: ['ml'],
-            grantWithBaseRead: true,
+        privileges: {},
+        reserved: {
+          privilege: {
             savedObject: {
               all: [],
               read: ['config']
             },
             ui: [],
           },
-        },
-        privilegesTooltip: i18n.translate('xpack.ml.privileges.tooltip', {
-          defaultMessage: 'To grant users access, you should also assign either the machine_learning_user or machine_learning_admin role.'
-        })
+          description: i18n.translate('xpack.ml.feature.reserved.description', {
+            defaultMessage: 'To grant users access, you should also assign either the machine_learning_user or machine_learning_admin role.'
+          })
+        }
       });
 
       // Add server routes and initialize the plugin here

x-pack/plugins/ml/public/jobs/jobs_list/components/jobs_list_view/jobs_list_view.js

@@ -406,7 +406,7 @@ export class JobsListView extends Component {
         <JobStatsBar
           jobsSummaryList={jobsSummaryList}
         />
-        <div className="job-management">
+        <div className="job-management" data-test-subj="ml-jobs-list">
           <NodeAvailableWarning />
           <UpgradeWarning />
           <header>

x-pack/plugins/monitoring/init.js

@@ -64,20 +64,19 @@ export const init = (monitoringPlugin, server) => {
     navLinkId: 'monitoring',
     app: ['monitoring', 'kibana'],
     catalogue: ['monitoring'],
-    privileges: {
-      all: {
-        catalogue: ['monitoring'],
-        grantWithBaseRead: true,
+    privileges: {},
+    reserved: {
+      privilege: {
         savedObject: {
           all: [],
-          read: ['config'],
+          read: ['config']
         },
         ui: [],
       },
-    },
-    privilegesTooltip: i18n.translate('xpack.monitoring.privileges.tooltip', {
-      defaultMessage: 'To grant users access, you should also assign the monitoring_user role.'
-    })
+      description: i18n.translate('xpack.monitoring.feature.reserved.description', {
+        defaultMessage: 'To grant users access, you should also assign the monitoring_user role.'
+      })
+    }
   });
 
   const bulkUploader = initBulkUploader(kbnServer, server);

x-pack/plugins/security/common/constants.ts

@@ -7,3 +7,5 @@
 export const GLOBAL_RESOURCE = '*';
 export const IGNORED_TYPES = ['space'];
 export const REALMS_ELIGIBLE_FOR_PASSWORD_CHANGE = ['reserved', 'native'];
+export const APPLICATION_PREFIX = 'kibana-';
+export const RESERVED_PRIVILEGES_APPLICATION_WILDCARD = 'kibana-*';

x-pack/plugins/security/common/model/kibana_privileges/feature_privileges.ts

@@ -19,7 +19,12 @@ export class KibanaFeaturePrivileges {
   }
 
   public getPrivileges(featureId: string): string[] {
-    return Object.keys(this.featurePrivilegesMap[featureId]);
+    const featurePrivileges = this.featurePrivilegesMap[featureId];
+    if (featurePrivileges == null) {
+      return [];
+    }
+
+    return Object.keys(featurePrivileges);
   }
 
   public getActions(featureId: string, privilege: string): string[] {

x-pack/plugins/security/common/model/raw_kibana_privileges.ts

@@ -14,4 +14,5 @@ export interface RawKibanaPrivileges {
   global: Record<string, string[]>;
   features: RawKibanaFeaturePrivileges;
   space: Record<string, string[]>;
+  reserved: Record<string, string[]>;
 }

x-pack/plugins/security/common/model/role.ts

@@ -19,6 +19,7 @@ export interface RoleKibanaPrivilege {
   spaces: string[];
   base: string[];
   feature: FeaturesPrivileges;
+  _reserved?: string[];
 }
 
 export interface Role {

x-pack/plugins/security/public/lib/kibana_privilege_calculator/__fixtures__/default_privilege_definition.ts

@@ -34,4 +34,5 @@ export const defaultPrivilegeDefinition = new KibanaPrivileges({
       all: ['ui:/feature3/foo', 'ui:/feature3/foo/*'],
     },
   },
+  reserved: {},
 });

x-pack/plugins/security/public/lib/kibana_privilege_calculator/kibana_allowed_privileges_calculator.ts

@@ -93,6 +93,10 @@ export class KibanaAllowedPrivilegesCalculator {
     candidateFeaturePrivileges: string[]
   ): { privileges: string[]; canUnassign: boolean } {
     const effectiveFeaturePrivilegeExplanation = effectivePrivileges.feature[featureId];
+    if (effectiveFeaturePrivilegeExplanation == null) {
+      throw new Error('To calculate allowed feature privileges, we need the effective privileges');
+    }
+
     const effectiveFeatureActions = this.getFeatureActions(
       featureId,
       effectiveFeaturePrivilegeExplanation.actualPrivilege

x-pack/plugins/security/public/lib/kibana_privilege_calculator/kibana_privilege_calculator.ts

@@ -76,6 +76,7 @@ export class KibanaPrivilegeCalculator {
         ignoreAssigned
       ),
       feature: {},
+      reserved: privilegeSpec._reserved,
     };
 
     // If calculations wish to ignoreAssigned, then we still need to know what the real effective base privilege is

x-pack/plugins/security/public/lib/kibana_privilege_calculator/kibana_privilege_calculator_types.ts

@@ -32,8 +32,9 @@ export interface PrivilegeExplanation {
 export interface CalculatedPrivilege {
   base: PrivilegeExplanation;
   feature: {
-    [featureId: string]: PrivilegeExplanation;
+    [featureId: string]: PrivilegeExplanation | undefined;
   };
+  reserved: undefined | string[];
 }
 
 export interface PrivilegeScenario {
@@ -50,9 +51,11 @@ export interface AllowedPrivilege {
     canUnassign: boolean;
   };
   feature: {
-    [featureId: string]: {
-      privileges: string[];
-      canUnassign: boolean;
-    };
+    [featureId: string]:
+      | {
+          privileges: string[];
+          canUnassign: boolean;
+        }
+      | undefined;
   };
 }

x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/feature_table/feature_table.test.tsx

@@ -36,6 +36,7 @@ const defaultPrivilegeDefinition = new KibanaPrivileges({
       all: ['somethingObsecure:/foo'],
     },
   },
+  reserved: {},
 });
 
 interface BuildRoleOpts {

x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/feature_table/feature_table.tsx

@@ -61,14 +61,32 @@ export class FeatureTable extends Component<Props, {}> {
   public render() {
     const { role, features, calculatedPrivileges, rankedFeaturePrivileges } = this.props;
 
-    const items: TableRow[] = features.map(feature => ({
-      feature: {
-        ...feature,
-        hasAnyPrivilegeAssigned:
-          calculatedPrivileges.feature[feature.id].actualPrivilege !== NO_PRIVILEGE_VALUE,
-      },
-      role,
-    }));
+    const items: TableRow[] = features
+      .sort((feature1, feature2) => {
+        if (feature1.reserved && !feature2.reserved) {
+          return 1;
+        }
+
+        if (feature2.reserved && !feature1.reserved) {
+          return -1;
+        }
+
+        return 0;
+      })
+      .map(feature => {
+        const calculatedFeaturePrivileges = calculatedPrivileges.feature[feature.id];
+        const hasAnyPrivilegeAssigned = Boolean(
+          calculatedFeaturePrivileges &&
+            calculatedFeaturePrivileges.actualPrivilege !== NO_PRIVILEGE_VALUE
+        );
+        return {
+          feature: {
+            ...feature,
+            hasAnyPrivilegeAssigned,
+          },
+          role,
+        };
+      });
 
     // TODO: This simply grabs the available privileges from the first feature we encounter.
     // As of now, features can have 'all' and 'read' as available privileges. Once that assumption breaks,
@@ -147,13 +165,17 @@ export class FeatureTable extends Component<Props, {}> {
         </span>
       ),
       render: (roleEntry: Role, record: TableRow) => {
-        const featureId = record.feature.id;
+        const { id: featureId, reserved } = record.feature;
+
+        if (reserved) {
+          return <EuiText size={'s'}>{reserved.description}</EuiText>;
+        }
 
         const featurePrivileges = this.props.kibanaPrivileges
           .getFeaturePrivileges()
           .getPrivileges(featureId);
 
-        if (!featurePrivileges) {
+        if (featurePrivileges.length === 0) {
           return null;
         }
 
@@ -213,18 +235,32 @@ export class FeatureTable extends Component<Props, {}> {
       return featurePrivileges;
     }
 
-    return allowedPrivileges.feature[featureId].privileges;
+    const allowedFeaturePrivileges = allowedPrivileges.feature[featureId];
+    if (allowedFeaturePrivileges == null) {
+      throw new Error('Unable to get enabled feature privileges for a feature without privileges');
+    }
+
+    return allowedFeaturePrivileges.privileges;
   };
 
   private getPrivilegeExplanation = (featureId: string): PrivilegeExplanation => {
     const { calculatedPrivileges } = this.props;
+    const calculatedFeaturePrivileges = calculatedPrivileges.feature[featureId];
+    if (calculatedFeaturePrivileges == null) {
+      throw new Error('Unable to get privilege explanation for a feature without privileges');
+    }
 
-    return calculatedPrivileges.feature[featureId];
+    return calculatedFeaturePrivileges;
   };
 
   private allowsNoneForPrivilegeAssignment = (featureId: string): boolean => {
     const { allowedPrivileges } = this.props;
-    return allowedPrivileges.feature[featureId].canUnassign;
+    const allowedFeaturePrivileges = allowedPrivileges.feature[featureId];
+    if (allowedFeaturePrivileges == null) {
+      throw new Error('Unable to determine if none is allowed for a feature without privileges');
+    }
+
+    return allowedFeaturePrivileges.canUnassign;
   };
 
   private onChangeAllFeaturePrivileges = (privilege: string) => {

x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/kibana_privileges_region.test.tsx

@@ -43,6 +43,7 @@ const buildProps = (customProps = {}) => {
       global: {},
       space: {},
       features: {},
+      reserved: {},
     }),
     intl: null as any,
     uiCapabilities: {

x-pack/plugins/security/public/views/management/edit_role/components/privileges/kibana/simple_privilege_section/simple_privilege_section.test.tsx

@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 // @ts-ignore
-import { EuiButtonGroup, EuiButtonGroupProps, EuiSuperSelect } from '@elastic/eui';
+import { EuiButtonGroup, EuiButtonGroupProps, EuiComboBox, EuiSuperSelect } from '@elastic/eui';
 import React from 'react';
 import { mountWithIntl, shallowWithIntl } from 'test_utils/enzyme_helpers';
 import { Feature } from 'x-pack/plugins/xpack_main/types';
@@ -23,6 +23,7 @@ const buildProps = (customProps: any = {}) => {
     },
     global: {},
     space: {},
+    reserved: {},
   });
 
   const role = {
@@ -130,6 +131,29 @@ describe('<SimplePrivilegeForm>', () => {
     expect(wrapper.find(UnsupportedSpacePrivilegesWarning)).toHaveLength(0);
   });
 
+  it('displays the reserved privilege', () => {
+    const props = buildProps({
+      role: {
+        elasticsearch: {},
+        kibana: [
+          {
+            spaces: ['*'],
+            base: [],
+            feature: {},
+            _reserved: ['foo'],
+          },
+        ],
+      },
+    });
+    const wrapper = shallowWithIntl(<SimplePrivilegeSection {...props} />);
+    const selector = wrapper.find(EuiComboBox);
+    expect(selector.props()).toMatchObject({
+      isDisabled: true,
+      selectedOptions: [{ label: 'foo' }],
+    });
+    expect(wrapper.find(UnsupportedSpacePrivilegesWarning)).toHaveLength(0);
+  });
+
   it('fires its onChange callback when the privilege changes', () => {
     const props = buildProps();
     const wrapper = mountWithIntl(<SimplePrivilegeSection {...props} />);