Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add cluster:admin/scripts/painless/execute to kibana_system #84591

Closed
mattkime opened this issue Mar 2, 2022 · 5 comments
Closed

add cluster:admin/scripts/painless/execute to kibana_system #84591

mattkime opened this issue Mar 2, 2022 · 5 comments
Labels
:Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team won't fix

Comments

@mattkime
Copy link

mattkime commented Mar 2, 2022

as discussed #48856 (comment)
@bytebilly bytebilly added the :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC label Mar 3, 2022
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Mar 3, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@bytebilly
Copy link
Contributor

Thanks for opening this @mattkime.

I think that — even if the change is not that complex — we should evaluate from a security perspective how it will be used by Kibana to handle the Runtime Fields authoring use case. We should avoid any scenario where users can leverage it to perform any data exfiltration or privilege escalation. Once assessed that, I'm supportive to proceed.

@sixstringcode
Copy link

@bytebilly is that something that we can evaluate in the near term?

@bytebilly
Copy link
Contributor

@sixstringcode we need get the approach validated, still under discussion in #48856. This issue may or may not be done based on its outcome.

@javanna
Copy link
Member

javanna commented Mar 30, 2022

I discussed this with @tvernum and @rjernst and we've agreed that adding cluster:admin/scripts/painless/execute privilege to kibana_system is not the right solution. What we'd like to do instead is require a different privilege for executing painless execute when an index is specified, given that users can already execute scripts as part of the search API which requires data read permissions only. I opened #85512 with a proposed solution for this that I hope can unblock things.

@javanna javanna closed this as completed Mar 30, 2022
@mattkime mattkime mentioned this issue May 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team won't fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mattkime @javanna @elasticmachine @bytebilly @sixstringcode