Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature controls] Allow Elasticsearch features to be hidden in individual spaces #114699

Open
legrego opened this issue Oct 12, 2021 · 3 comments
Open

[Feature controls] Allow Elasticsearch features to be hidden in individual spaces #114699

legrego opened this issue Oct 12, 2021 · 3 comments
Labels
enhancement New value added to drive a business result Feature:Security/Feature Controls Platform Security - Spaces & Role Mgmt feature controls Feature:Security/Spaces Platform Security - Spaces feature Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! unified-security-painpoint Highlights issues that are painpoints as a result of the lack of a unified security model

Comments

@legrego
Copy link
Member

legrego commented Oct 12, 2021
edited
Loading

Summary

We manage two types of features today: Kibana Features and Elasticsearch Features.

Kibana Features are those which respect the Kibana Privilege model -- a vast majority of our features are considered Kibana Features. These features can be disabled at the space level, and access can be managed via Kibana's RBAC model.

Elasticsearch Features are those which rely on cluster and/or index privileges in order to function. Broadly speaking, most Stack Management apps fall into this category. For example, Index Lifecycle Management requires the manage_ilm cluster privilege in order to function. They were introduced in #67791, which gave us the ability to hide stack management features based on cluster/index privileges.

These features CANNOT be disabled at the space level. If an administrator wants to hide an Elasticsearch feature, they must either configure their roles to forbid access, or disable the plugins via kibana.yml.

#89584 prevents us from disabling plugins by default starting in 8.0, so there is a desire to allow Elasticsearch Features to be disabled at the space level. Note that this does not impact the privilege model at all. This is merely an update to the UI-based space level controls.

Tasks

Update the Elasticsearch Feature model

The ElasticsearchFeature model will need to be updated to include:

  1. name
  2. category
  3. order
  4. an option to indicate if they should be included for Spaces management. Opting in makes name, category, and order required. Otherwise they should not be specified.
  /**
   * Display name for this feature.
   * This will be displayed to end-users, so a translatable string is advised for i18n.
   */
  name?: string;

  /**
   * The category for this feature.
   * This will be used to organize the list of features for display within the
   * Spaces management screen.
   */
  category?: AppCategory;

  /**
   * An ordinal used to sort features relative to one another for display.
   */
  order?: number;

The associated validation schema will also need to be updated.

Update the Spaces capability switcher

The Spaces capability switcher will need to be updated to respect Elasticsearch Features that wish to be visible in the spaces management screen.

Update the Spaces management UI

The management UI will need to be updated to show Elasticsearch Features that have opted into per-space control.

cc @sebelga @cjcenizal
@legrego legrego added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result Feature:Security/Spaces Platform Security - Spaces feature Feature:Security/Feature Controls Platform Security - Spaces & Role Mgmt feature controls labels Oct 12, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@sebelga sebelga mentioned this issue Oct 14, 2021
Merged
@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort labels Oct 19, 2021
@kunisen

This comment was marked as off-topic.

Sign in to view
@legrego

This comment was marked as off-topic.

Sign in to view
@legrego legrego removed loe:small Small Level of Effort impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Aug 22, 2022
@legrego legrego added the unified-security-painpoint Highlights issues that are painpoints as a result of the lack of a unified security model label Jul 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Feature:Security/Feature Controls Platform Security - Spaces & Role Mgmt feature controls Feature:Security/Spaces Platform Security - Spaces feature Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! unified-security-painpoint Highlights issues that are painpoints as a result of the lack of a unified security model
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@legrego @elasticmachine @kunisen