Security plugin capabilities switcher does not ignore features outside of its security model #153817
Assignees
Labels
bug
Fixes for quality problems that affect the customer experience
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
jeramysoucy
added
bug
|
Pinging @elastic/kibana-security (Team:Security) |
jeramysoucy
added a commit
that referenced
this issue
Apr 20, 2023
…ault behaviors (#154098) Closes #153817 ## Summary This PR implements logical checks within the security plugin's capabilities switcher to account for features that opt out of the Kibana security model (e.g. Enterprise Search features). It also more explicitly handles default cases (when a feature is neither a Kibana or ES feature), exclusions (features handled exclusively by other plugins), and the catalogue feature (we now qualify each catalogue feature capability). In these cases (opt-out, default, exclusion, etc.), the capabilities switcher will ignore the capability and neither enable nor disable it (see detailed list below). We are now effectively ignoring only these: - `spaces` feature ID (handled by spaces plugin capabilities switcher) - `fileUpload` feature ID (handled by file_upload plugin capabilities switcher) - `catalogue` capabilities that are not 'spaces' and are not referenced by at least one Kibana or ES feature - `navLinks` that are not referenced by at least one Kibana feature - Anything that is not a global settings, management, catalogue, nav link, Kibana, or ES feature On the flip side we always affect everything under the `management` feature. This PR _should_ unblock the ability to implement parallel execution of capabilities switchers, #152982. ### Related Tests - x-pack/plugins/security/server/authorization/disable_ui_capabilities.test.ts - x-pack/test/ui_capabilities/security_and_spaces/config.ts - x-pack/test/functional/apps/home/config.ts --------- Co-authored-by: kibanamachine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kibana version: <= 8.6
Description: The security plugin's capabilities switcher should be ignoring features which have opted out of its security controls, but it does not make this distinction. This was discovered via investigation into #146881, where it was found that the security plugin would erroneously disable features outside of its purview which were intended to be exclusively controlled by Enterprise Search. See discussion here.
This issue is blocking the ability to implement parallel execution of capabilities switchers, #152982.
Relevant section of code: https://github.com/elastic/kibana/blob/b84972fb361e888a6c122bb533deac4d7719ac41/x-pack/plugins/security/server/authorization/disable_ui_capabilities.ts#LL70C6-L70C6
The text was updated successfully, but these errors were encountered: