Don't include privilege actions by default, but instead include them …

…when requested via query parameter

x-pack/plugins/security/public/views/management/edit_role/index.js

@@ -88,7 +88,7 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
       return [];
     },
     privileges() {
-      return  kfetch({ method: 'get', pathname: '/api/security/privileges' });
+      return  kfetch({ method: 'get', pathname: '/api/security/privileges', query: { includeActions: true } });
     },
     features() {
       return kfetch({ method: 'get', pathname: '/api/features/v1' });

x-pack/plugins/security/server/routes/api/public/privileges/get.test.ts

@@ -60,6 +60,7 @@ const createMockServer = () => {
 
 interface TestOptions {
   preCheckLicenseImpl?: () => void;
+  includeActions?: boolean;
   asserts: {
     statusCode: number;
     result: Record<string, any>;
@@ -69,7 +70,7 @@ interface TestOptions {
 describe('GET privileges', () => {
   const getPrivilegesTest = (
     description: string,
-    { preCheckLicenseImpl = () => null, asserts }: TestOptions
+    { preCheckLicenseImpl = () => null, includeActions, asserts }: TestOptions
   ) => {
     test(description, async () => {
       const mockServer = createMockServer();
@@ -80,9 +81,11 @@ describe('GET privileges', () => {
         authorization: 'foo',
       };
 
+      const url = `/api/security/privileges${includeActions ? '?includeActions=true' : ''}`;
+
       const request = {
         method: 'GET',
-        url: '/api/security/privileges',
+        url,
         headers,
       };
       const { result, statusCode } = await mockServer.inject(request);
@@ -108,11 +111,27 @@ describe('GET privileges', () => {
   });
 
   describe('success', () => {
-    getPrivilegesTest(`returns registered application privileges`, {
+    getPrivilegesTest(`returns registered application privileges with actions when requested`, {
+      includeActions: true,
       asserts: {
         statusCode: 200,
         result: createPrivilegeMap(),
       },
     });
+
+    getPrivilegesTest(`returns registered application privileges without actions`, {
+      includeActions: false,
+      asserts: {
+        statusCode: 200,
+        result: {
+          global: ['all', 'read'],
+          space: ['all', 'read'],
+          features: {
+            feature1: ['all'],
+            feature2: ['all'],
+          },
+        },
+      },
+    });
   });
 });

x-pack/plugins/security/server/routes/api/public/privileges/get.ts

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-
+import Joi from 'joi';
 import { PrivilegeMap } from 'x-pack/plugins/security/common/model';
 
 export function initGetPrivilegesApi(
@@ -13,14 +13,35 @@ export function initGetPrivilegesApi(
   server.route({
     method: 'GET',
     path: '/api/security/privileges',
-    handler() {
+    handler(req: Record<string, any>) {
       const { authorization } = server.plugins.security;
       const privileges: PrivilegeMap = authorization.privileges.get();
 
-      return privileges;
+      if (req.query.includeActions) {
+        return privileges;
+      }
+
+      return {
+        global: Object.keys(privileges.global),
+        space: Object.keys(privileges.space),
+        features: Object.entries(privileges.features).reduce(
+          (acc, [featureId, featurePrivileges]) => {
+            return {
+              ...acc,
+              [featureId]: Object.keys(featurePrivileges),
+            };
+          },
+          {}
+        ),
+      };
     },
     config: {
       pre: [routePreCheckLicenseFn],
+      validate: {
+        query: Joi.object().keys({
+          includeActions: Joi.bool(),
+        }),
+      },
     },
   });
 }

x-pack/test/api_integration/apis/security/privileges.ts

@@ -17,10 +17,10 @@ export default function({ getService }: KibanaFunctionalTestDefaultProviders) {
       const versionService = getService('kibanaServer').version;
       version = await versionService.get();
     });
-    describe('GET /api/security/privileges', () => {
-      it('should return a privilege map with all known privileges', async () => {
+    describe('GET /api/security/privileges?includeActions=true', () => {
+      it('should return a privilege map with all known privileges with actions', async () => {
         await supertest
-          .get('/api/security/privileges')
+          .get('/api/security/privileges?includeActions=true')
           .set('kbn-xsrf', 'xxx')
           .send()
           .expect(200, {
@@ -696,5 +696,36 @@ export default function({ getService }: KibanaFunctionalTestDefaultProviders) {
           });
       });
     });
+
+    describe('GET /api/security/privileges', () => {
+      it('should return a privilege map with all known privileges, without actions', async () => {
+        await supertest
+          .get('/api/security/privileges')
+          .set('kbn-xsrf', 'xxx')
+          .send()
+          .expect(200, {
+            features: {
+              discover: ['all', 'read'],
+              visualize: ['all', 'read'],
+              dashboard: ['all', 'read'],
+              dev_tools: ['all'],
+              advancedSettings: ['all'],
+              indexPatterns: ['all'],
+              timelion: ['all', 'read'],
+              graph: ['all', 'read'],
+              monitoring: ['all'],
+              ml: ['all'],
+              apm: ['all'],
+              gis: ['all', 'read'],
+              canvas: ['all', 'read'],
+              infrastructure: ['all'],
+              logs: ['all'],
+              uptime: ['all'],
+            },
+            global: ['all', 'read'],
+            space: ['all', 'read'],
+          });
+      });
+    });
   });
 }