-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dashboard drilldown - either change the privilage definition to update the index pattern or update the dashboard app to not update the index pattern if the user is unauthorized. #76177
Comments
Pinging @elastic/kibana-app (Team:KibanaApp) |
http://localhost:5620/api/saved_objects/index-pattern/logstash-* - request When a user with
|
When the loading is done - its still done as a super user, the lower privilege of the |
dear @mattkime , could it be related to recent index pattern refactoring? |
@elastic/kibana-app bump^ |
@legrego : would you mind taking a look at this too please if it falls under your domain. |
This is a @elastic/kibana-app bug that relates to privileges. Happy to help, but they should take ownership as they understand the intended functionality better than I |
@timroes - can you please help here . Thank you |
@rashmivkulkarni can you point to a branch where this happens? I'm not sure how to reproduce.
You mean you load Kibana in the browser, then change the permissions of the currently logged in user? If that's the case, that was never supported. You have to reload the browser so it can pick up changed permissions (or even better, log in as a separate user) |
@flash1293 changing the roles of the logged in user is something we started doing in tests several months ago and has been very successful. The We're seeing the error "Unable to update index pattern". We don't understand the purpose of the PUT to http://localhost:5620/api/saved_objects/index-pattern/logstash-*. Apparently dashboard all feature control doesn't have that Kibana privilege. |
Thanks for the PR @rashmivkulkarni (for reference, it's this one: #76055 ) I reproduced the problem locally and this is caused by the index pattern service trying to refresh the fields the first time the index pattern is used (
To get the test running, one way is to load the dashboard once as a superuser (this will refresh the index pattern), then switch the roles and load the dashboard again as the limited user to run the tests. As the index pattern is up to date now, it will work fine. @rashmivkulkarni I recommend doing this for now. Another possible approach might be to fix the index pattern saved object in the fixture to not requiring a refresh, but @elastic/kibana-app-arch would have to help with that. You could argue the index pattern service should handle the situation better (maybe try to work with the index pattern without refreshing first if the user doesn't have permission? Not sure whether that's possible) - so I will move this over to @elastic/kibana-app-arch (@mattkime I think you worked in that area recently). I don't think allowing the dashboard permission to change index pattern saved objects is a good approach - this problem can happen in each app accessing index patterns in any way and is more of an edge case (an index pattern created from the UI by an admin wouldn't have the problem). Allowing write access to the index pattern for all of these apps would arguably create a security issue - at least it's very surprising for users allowing read access to a single app would also give write access to index patterns (we would need to do the same thing for read permissions to dashboard because in the current index pattern code this code path will be triggered as well, it's not just limited to "all"). This is not related to drilldowns in any way - it's a general problem with how index patterns are working internally. |
This flaw has existed for a long time. @flash1293 has correctly pointed out that in some circumstances the index pattern is automatically saved upon being loaded. Unfortunately this is by design. Similar problem from the The solution is to stop saving the field list to the saved object - #71787 |
@flash1293 why doesn't that refresh just happen when the index pattern is created in the UI? We know that user has the privs to create (or update) the index pattern. Oh, but in this case (Rashmi's test), the index pattern was created by installing the sample data, not through the index pattern UI. So for now, I think we can modify the test to first open the dashboard as the superuser. |
Actually, on second thought, what would happen in the UI if opening the dashboard just handled the failure to refresh the index pattern silently? |
In the following circumstances the index pattern service determines that it needs to reload and save the field list - https://github.com/elastic/kibana/blob/master/src/plugins/data/common/index_patterns/index_patterns/index_patterns.ts#L198 It looks like code that avoids doing a proper migration step. Thankfully there seems to be little reason to save the list at all. |
The field list is no longer cached - #82223 - will be released in 7.11 |
Should be no longer relevant #76177 (comment) |
Kibana version: 8.0
When I was running the dashboard drilldown functional UI test, after giving specific roles to the logged in
test_user
,I was still getting the following exception in the server:My roles assigned to the user were:
From the Network Tab captured this:
cc @legrego
The text was updated successfully, but these errors were encountered: