Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security - Fleet Separate Application Authorization #42881

Closed
6 tasks
kobelb opened this issue Aug 7, 2019 · 3 comments
Closed
6 tasks

Security - Fleet Separate Application Authorization #42881

kobelb opened this issue Aug 7, 2019 · 3 comments
Labels
enhancement New value added to drive a business result Feature:Fleet Fleet team's agent central management project Team:Fleet Team label for Observability Data Collection Fleet team Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@kobelb
Copy link
Contributor

kobelb commented Aug 7, 2019
edited
Loading

The current plan is for Fleet to be it's own "application" in regard to the Elasticsearch application privileges. This will be implemented as a separate "section" within the Kibana role management screen:

59381194-b90a5a00-8d0f-11e9-8fa8-a7a28764954d

However, we don't want to make Fleet write their own authorization from scratch and they can build upon the current authorization model.

  • Define their own section in the role management page
  • Specify their own "application privileges" which we'll insert into ES using the Create or update application privileges API
  • Use a wrapped instance of the SavedObjectsClient which performs authorization against the Fleet application
  • Use some checkPrivileges services against their custom Fleet application.
  • Use the API authorization "middleware".
  • Consume UI capabilities

Original discuss issue: #38576
@kobelb kobelb added WIP Work in progress Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result labels Aug 7, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security

@kobelb kobelb changed the title Security - Fleet Authorization Security - Fleet Separate Application Authorization Aug 22, 2019
@kobelb kobelb removed the WIP Work in progress label Jan 14, 2020
@kobelb kobelb mentioned this issue Jan 22, 2020
Closed
@ruflin ruflin added the Feature:Fleet Fleet team's agent central management project label Jan 29, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/ingest (Feature:Fleet)

@jen-huang jen-huang added the Team:Fleet Team label for Observability Data Collection Fleet team label Mar 26, 2020
@ph
Copy link
Contributor

ph commented May 25, 2020

closing in favor of future discussion for RBAC.

@ph ph closed this as completed May 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Feature:Fleet Fleet team's agent central management project Team:Fleet Team label for Observability Data Collection Fleet team Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ph @ruflin @kobelb @jen-huang @elasticmachine