Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[7.x] - Deprecate excluding ML from base privileges #115445

Merged
merged 18 commits into from
Oct 20, 2021
Merged

[7.x] - Deprecate excluding ML from base privileges #115445

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
33318f2
Deprecate excluding ML privileges
legrego Oct 18, 2021
68f48b0
fix i18n ids
legrego Oct 18, 2021
d3de445
refactor to use privilege_deprecations service
legrego Oct 18, 2021
df3c0df
fix type check
legrego Oct 18, 2021
8fe6129
remove unused function
legrego Oct 18, 2021
a6a41a9
Adding additional test case
legrego Oct 19, 2021
08a450a
Merge branch '7.x' of github.com:elastic/kibana into security/ml-priv…
legrego Oct 19, 2021
3618092
Merge branch '7.x' into security/ml-privileges-deprecation
kibanamachine Oct 19, 2021
2f9524b
Apply suggestions from code review
legrego Oct 19, 2021
fea10e9
update tests
legrego Oct 19, 2021
97a8524
Merge branch '7.x' of github.com:elastic/kibana into security/ml-priv…
legrego Oct 19, 2021
aacd4e2
Merge branch '7.x' into security/ml-privileges-deprecation
kibanamachine Oct 19, 2021
e59f341
Merge branch '7.x' into security/ml-privileges-deprecation
kibanamachine Oct 20, 2021
2f6ba40
Merge branch '7.x' into security/ml-privileges-deprecation
kibanamachine Oct 20, 2021
104bf63
Merge branch '7.x' into security/ml-privileges-deprecation
kibanamachine Oct 20, 2021
d82b859
Merge branch '7.x' into security/ml-privileges-deprecation
kibanamachine Oct 20, 2021
8271102
Merge branch '7.x' into security/ml-privileges-deprecation
kibanamachine Oct 20, 2021
5d7e2cc
Merge branch '7.16' into security/ml-privileges-deprecation
kibanamachine Oct 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions x-pack/plugins/security/common/licensing/license_features.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,11 @@ export interface SecurityLicenseFeatures {
*/
readonly allowRbac: boolean;

/**
* Indicates if Machine Learning features are available.
*/
readonly allowML: boolean;

/**
* Indicates whether we allow sub-feature privileges.
*/
Expand Down
17 changes: 15 additions & 2 deletions x-pack/plugins/security/common/licensing/license_service.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ describe('license features', function () {
allowRbac: false,
allowSubFeaturePrivileges: false,
allowAuditLogging: false,
allowML: false,
allowLegacyAuditLogging: false,
});
});
Expand All @@ -51,6 +52,7 @@ describe('license features', function () {
allowRbac: false,
allowSubFeaturePrivileges: false,
allowAuditLogging: false,
allowML: false,
allowLegacyAuditLogging: false,
});
});
Expand All @@ -75,6 +77,7 @@ describe('license features', function () {
"allowAuditLogging": false,
"allowLegacyAuditLogging": false,
"allowLogin": false,
"allowML": false,
"allowRbac": false,
"allowRoleDocumentLevelSecurity": false,
"allowRoleFieldLevelSecurity": false,
Expand All @@ -97,6 +100,7 @@ describe('license features', function () {
"allowAuditLogging": true,
"allowLegacyAuditLogging": true,
"allowLogin": true,
"allowML": true,
"allowRbac": true,
"allowRoleDocumentLevelSecurity": true,
"allowRoleFieldLevelSecurity": true,
Expand Down Expand Up @@ -134,10 +138,12 @@ describe('license features', function () {
allowRbac: true,
allowSubFeaturePrivileges: false,
allowAuditLogging: false,
allowML: false,
allowLegacyAuditLogging: false,
});
expect(getFeatureSpy).toHaveBeenCalledTimes(1);
expect(getFeatureSpy).toHaveBeenCalledTimes(2);
expect(getFeatureSpy).toHaveBeenCalledWith('security');
expect(getFeatureSpy).toHaveBeenCalledWith('ml');
});

it('should not show login page or other security elements if security is disabled in Elasticsearch.', () => {
Expand All @@ -160,6 +166,7 @@ describe('license features', function () {
allowRbac: false,
allowSubFeaturePrivileges: false,
allowAuditLogging: false,
allowML: false,
allowLegacyAuditLogging: false,
});
});
Expand All @@ -185,6 +192,7 @@ describe('license features', function () {
allowRbac: true,
allowSubFeaturePrivileges: false,
allowAuditLogging: false,
allowML: false,
allowLegacyAuditLogging: true,
});
});
Expand All @@ -210,14 +218,18 @@ describe('license features', function () {
allowRbac: true,
allowSubFeaturePrivileges: true,
allowAuditLogging: true,
allowML: false,
allowLegacyAuditLogging: true,
});
});

it('should allow to login, allow RBAC, role mappings, access agreement, sub-feature privileges, and DLS if license >= platinum', () => {
const mockRawLicense = licenseMock.createLicense({
license: { mode: 'platinum', type: 'platinum' },
features: { security: { isEnabled: true, isAvailable: true } },
features: {
security: { isEnabled: true, isAvailable: true },
ml: { isEnabled: true, isAvailable: true },
},
});

const serviceSetup = new SecurityLicenseService().setup({
Expand All @@ -235,6 +247,7 @@ describe('license features', function () {
allowRbac: true,
allowSubFeaturePrivileges: true,
allowAuditLogging: true,
allowML: true,
allowLegacyAuditLogging: true,
});
});
Expand Down
14 changes: 14 additions & 0 deletions x-pack/plugins/security/common/licensing/license_service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,15 @@ export class SecurityLicenseService {
);
}

private isMLEnabledFromRawLicense(rawLicense: Readonly<ILicense> | undefined) {
if (!rawLicense) {
return false;
}

const mlFeature = rawLicense.getFeature('ml');
return mlFeature !== undefined && mlFeature.isAvailable && mlFeature.isEnabled;
}

private calculateFeaturesFromRawLicense(
rawLicense: Readonly<ILicense> | undefined
): SecurityLicenseFeatures {
Expand All @@ -85,6 +94,7 @@ export class SecurityLicenseService {
allowRoleDocumentLevelSecurity: false,
allowRoleFieldLevelSecurity: false,
allowRbac: false,
allowML: false,
allowSubFeaturePrivileges: false,
layout:
rawLicense !== undefined && !rawLicense?.isAvailable
Expand All @@ -93,6 +103,8 @@ export class SecurityLicenseService {
};
}

const allowML = this.isMLEnabledFromRawLicense(rawLicense);

if (!this.isSecurityEnabledFromRawLicense(rawLicense)) {
return {
showLogin: false,
Expand All @@ -105,6 +117,7 @@ export class SecurityLicenseService {
allowRoleDocumentLevelSecurity: false,
allowRoleFieldLevelSecurity: false,
allowRbac: false,
allowML,
allowSubFeaturePrivileges: false,
};
}
Expand All @@ -124,6 +137,7 @@ export class SecurityLicenseService {
// Only platinum and trial licenses are compliant with field- and document-level security.
allowRoleDocumentLevelSecurity: isLicensePlatinumOrBetter,
allowRoleFieldLevelSecurity: isLicensePlatinumOrBetter,
allowML,
allowRbac: true,
};
}
Expand Down
12 changes: 6 additions & 6 deletions x-pack/plugins/security/common/model/deprecations.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,17 +9,17 @@
import type { DeprecationsDetails, GetDeprecationsContext } from '../../../../../src/core/server';
import type { Role } from './role';

export interface PrivilegeDeprecationsRolesByFeatureIdResponse {
export interface PrivilegeDeprecationsRolesResponse {
roles?: Role[];
errors?: DeprecationsDetails[];
}

export interface PrivilegeDeprecationsRolesByFeatureIdRequest {
export interface PrivilegeDeprecationsRolesRequest {
context: GetDeprecationsContext;
featureId: string;
featureId?: string;
}
export interface PrivilegeDeprecationsService {
getKibanaRolesByFeatureId: (
args: PrivilegeDeprecationsRolesByFeatureIdRequest
) => Promise<PrivilegeDeprecationsRolesByFeatureIdResponse>;
getKibanaRoles: (
args: PrivilegeDeprecationsRolesRequest
) => Promise<PrivilegeDeprecationsRolesResponse>;
}
4 changes: 2 additions & 2 deletions x-pack/plugins/security/common/model/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ export {
RoleMapping,
} from './role_mapping';
export {
PrivilegeDeprecationsRolesByFeatureIdRequest,
PrivilegeDeprecationsRolesByFeatureIdResponse,
PrivilegeDeprecationsRolesRequest,
PrivilegeDeprecationsRolesResponse,
PrivilegeDeprecationsService,
} from './deprecations';
2 changes: 1 addition & 1 deletion x-pack/plugins/security/public/nav_control/nav_control_service.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ import { SecurityNavControlService } from './nav_control_service';
const validLicense = {
isAvailable: true,
getFeature: (feature) => {
expect(feature).toEqual('security');
expect(['security', 'ml']).toContain(feature);

return {
isAvailable: true,
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/security/server/deprecations/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,4 @@ export {
KIBANA_ADMIN_ROLE_NAME,
KIBANA_USER_ROLE_NAME,
} from './kibana_user_role';
export { registerMLPrivilegesDeprecation } from './ml_privileges';
Loading