[ML] Retain built-in ML roles granting Kibana privileges (#80014)

The machine_learning_admin and machine_learning_user roles in Elasticsearch also grant access to the ML pages in Kibana. At one time it was intended that this should change in 8.0, so that ML privileges in Kibana would be completely separate. However, our thinking has now changed. An administrator cannot give a user the Elasticsearch backend roles and expect Kibana privileges alone to then stop that user from using ML - the user could just switch to curl or even Kibana dev console (which uses backend privileges rather than Kibana privileges). So it's clearer what is really being permitted if the backend roles continue to allow access to the ML UI as well as the ML backend endpoints. There's nothing the user can see in the ML UI that they couldn't find out by calling ML Elasticsearch endpoints directly and rendering the responses in a more graphical way.
elastic · Oct 28, 2021 · 499f84a · 499f84a
1 parent 0d5cc32
commit 499f84a
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -285,7 +285,13 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                             .indices(".ml-annotations*")
                             .privileges("view_index_metadata", "read", "write")
                             .build() },
-                    // TODO: remove Kibana privileges from ML backend roles in 8.0.0
+                    // This role also grants Kibana privileges related to ML.
+                    // This makes it completely clear to UI administrators that
+                    // if they grant the Elasticsearch backend role to a user then
+                    // they cannot expect Kibana privileges to stop that user from
+                    // accessing ML functionality - the user could switch to curl
+                    // or even Kibana dev console and call the ES endpoints directly
+                    // bypassing the Kibana privileges layer entirely.
                     new RoleDescriptor.ApplicationResourcePrivileges[] {
                         RoleDescriptor.ApplicationResourcePrivileges.builder()
                             .application("kibana-*")
@@ -313,7 +319,13 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                             .indices(".ml-annotations*")
                             .privileges("view_index_metadata", "read", "write")
                             .build() },
-                    // TODO: remove Kibana privileges from ML backend roles in 8.0.0
+                    // This role also grants Kibana privileges related to ML.
+                    // This makes it completely clear to UI administrators that
+                    // if they grant the Elasticsearch backend role to a user then
+                    // they cannot expect Kibana privileges to stop that user from
+                    // accessing ML functionality - the user could switch to curl
+                    // or even Kibana dev console and call the ES endpoints directly
+                    // bypassing the Kibana privileges layer entirely.
                     new RoleDescriptor.ApplicationResourcePrivileges[] {
                         RoleDescriptor.ApplicationResourcePrivileges.builder()
                             .application("kibana-*")