[ML] Categorization examples privilege check #57375
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jgowdyelastic
force-pushed
the
categorization-examples-privilege-check
branch
2 times, most recently
from
abfd38c to
9db4c01
Compare
jgowdyelastic
requested review from
alvarezmelissa87,
peteharverson,
walterra and
darnautov
jgowdyelastic
added
:ml
Feature:Anomaly Detection
|
Pinging @elastic/ml-ui (:ml) |
peteharverson
approved these changes
Feb 12, 2020
x-pack/legacy/plugins/ml/server/models/job_service/new_job/categorization/examples.ts
Outdated
Show resolved
Hide resolved
droberts195
added a commit
to droberts195/elasticsearch
that referenced
this pull request
Feb 12, 2020
This is to support the ML categorization wizard. Currently cluster:admin/analyze is only provided with the "manage" cluster privilege, which is an excessive privilege level to provide access to this single feature. It means that the ML categorization wizard only works for extremely highly privileged users. Following this change the Kibana system user will be permitted to run the _analyze endpoint on supplied strings (not on an index). The ML UI will then call the _analyze endpoint as the Kibana system user after first checking that the logged-in user is permitted to create an ML job. This will mean that users with the more reasonable "manage_ml" cluster privilege will be permitted to use the ML categorization wizard. (This is also consistent with the way the ML UI will access _all_ Elasticsearch functionality when the "ML in Spaces" project is completed.) Closes elastic#51391 Relates elastic/kibana#57375
|
The corresponding Elasticsearch change is elastic/elasticsearch#52259. Please wait for that to be merged before merging this change. |
|
retest |
kobelb
reviewed
Feb 12, 2020
| return true; | ||
| } | ||
|
|
||
| const resp = await callWithRequest('ml.privilegeCheck', { |
There was a problem hiding this comment.
As an alternative to doing the privilege check using the _has_privileges API, you can augment the reserved privilege which is assigned to both the machine_learning_admin and machine_learning_user roles and take advantage of the "API Authorization" similar to this example: https://www.elastic.co/guide/en/kibana/current/development-plugin-feature-registration.html#_example_2_dev_tools
There was a problem hiding this comment.
Have spoken to @kobelb and have agreed to leave this as is for now as upcoming spaces work will see the replacement of all privilege checks in ML.
droberts195
added a commit
to elastic/elasticsearch
that referenced
this pull request
Feb 13, 2020
This is to support the ML categorization wizard. Currently cluster:admin/analyze is only provided with the "manage" cluster privilege, which is an excessive privilege level to provide access to this single feature. It means that the ML categorization wizard only works for extremely highly privileged users. Following this change the Kibana system user will be permitted to run the _analyze endpoint on supplied strings (not on an index). The ML UI will then call the _analyze endpoint as the Kibana system user after first checking that the logged-in user is permitted to create an ML job. This will mean that users with the more reasonable "manage_ml" cluster privilege will be permitted to use the ML categorization wizard. (This is also consistent with the way the ML UI will access _all_ Elasticsearch functionality when the "ML in Spaces" project is completed.) Closes #51391 Relates elastic/kibana#57375
droberts195
added a commit
to elastic/elasticsearch
that referenced
this pull request
Feb 13, 2020
This is to support the ML categorization wizard. Currently cluster:admin/analyze is only provided with the "manage" cluster privilege, which is an excessive privilege level to provide access to this single feature. It means that the ML categorization wizard only works for extremely highly privileged users. Following this change the Kibana system user will be permitted to run the _analyze endpoint on supplied strings (not on an index). The ML UI will then call the _analyze endpoint as the Kibana system user after first checking that the logged-in user is permitted to create an ML job. This will mean that users with the more reasonable "manage_ml" cluster privilege will be permitted to use the ML categorization wizard. (This is also consistent with the way the ML UI will access _all_ Elasticsearch functionality when the "ML in Spaces" project is completed.) Closes #51391 Relates elastic/kibana#57375
jgowdyelastic
force-pushed
the
categorization-examples-privilege-check
branch
from
2dd8218 to
fd5e62a
Compare
alvarezmelissa87
approved these changes
Feb 14, 2020
jgowdyelastic
force-pushed
the
categorization-examples-privilege-check
branch
from
d51ffb4 to
af4da4f
Compare
|
@elasticmachine merge upstream |
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
jgowdyelastic
added a commit
to jgowdyelastic/kibana
that referenced
this pull request
Feb 17, 2020
* [ML] Categorization examples privilege check * adding privileges check to endpoint * fixing typo * moving privilege check to router * removing unused variable * rebasing master * removing comment Co-authored-by: Elastic Machine <[email protected]>
jgowdyelastic
added a commit
that referenced
this pull request
Feb 17, 2020
* [ML] Categorization examples privilege check * adding privileges check to endpoint * fixing typo * moving privilege check to router * removing unused variable * rebasing master * removing comment Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Elastic Machine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes the
categorization_field_examplesendpoint so when it calls_analyseto retrieve the tokens, it does so as the kibana internal user.Because of this change, the endpoint also now requires the user to have job creation privileges.
The endpoint returns a
403if this requirement is not met.Relates to elastic/elasticsearch#51391
cc @droberts195
Checklist
For maintainers