From b770435fb1b6d7394b419f511b0e0cc2e2b4b653 Mon Sep 17 00:00:00 2001 From: David Roberts Date: Thu, 28 Oct 2021 15:28:25 +0100 Subject: [PATCH] [ML] Retain built-in ML roles granting Kibana privileges (#80014) (#80019) The machine_learning_admin and machine_learning_user roles in Elasticsearch also grant access to the ML pages in Kibana. At one time it was intended that this should change in 8.0, so that ML privileges in Kibana would be completely separate. However, our thinking has now changed. An administrator cannot give a user the Elasticsearch backend roles and expect Kibana privileges alone to then stop that user from using ML - the user could just switch to curl or even Kibana dev console (which uses backend privileges rather than Kibana privileges). So it's clearer what is really being permitted if the backend roles continue to allow access to the ML UI as well as the ML backend endpoints. There's nothing the user can see in the ML UI that they couldn't find out by calling ML Elasticsearch endpoints directly and rendering the responses in a more graphical way. --- .../security/authz/store/ReservedRolesStore.java | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java index 16e79aa092263..ff89b1bb49e6e 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java @@ -301,7 +301,13 @@ private static Map initializeReservedRoles() { .indices(".ml-annotations*") .privileges("view_index_metadata", "read", "write") .build() }, - // TODO: remove Kibana privileges from ML backend roles in 8.0.0 + // This role also grants Kibana privileges related to ML. + // This makes it completely clear to UI administrators that + // if they grant the Elasticsearch backend role to a user then + // they cannot expect Kibana privileges to stop that user from + // accessing ML functionality - the user could switch to curl + // or even Kibana dev console and call the ES endpoints directly + // bypassing the Kibana privileges layer entirely. new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() .application("kibana-*") @@ -328,7 +334,13 @@ private static Map initializeReservedRoles() { .indices(".ml-annotations*") .privileges("view_index_metadata", "read", "write") .build() }, - // TODO: remove Kibana privileges from ML backend roles in 8.0.0 + // This role also grants Kibana privileges related to ML. + // This makes it completely clear to UI administrators that + // if they grant the Elasticsearch backend role to a user then + // they cannot expect Kibana privileges to stop that user from + // accessing ML functionality - the user could switch to curl + // or even Kibana dev console and call the ES endpoints directly + // bypassing the Kibana privileges layer entirely. new RoleDescriptor.ApplicationResourcePrivileges[] { RoleDescriptor.ApplicationResourcePrivileges.builder() .application("kibana-*")