[ML] Retain built-in ML roles granting Kibana privileges #80014
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The machine_learning_admin and machine_learning_user roles in Elasticsearch also grant access to the ML pages in Kibana. At one time it was intended that this should change in 8.0, so that ML privileges in Kibana would be completely separate. However, our thinking has now changed. An administrator cannot give a user the Elasticsearch backend roles and expect Kibana privileges alone to then stop that user from using ML - the user could just switch to curl or even Kibana dev console (which uses backend privileges rather than Kibana privileges). So it's clearer what is really being permitted if the backend roles continue to allow access to the ML UI as well as the ML backend endpoints. There's nothing the user can see in the ML UI that they couldn't find out by calling ML Elasticsearch endpoints directly and rendering the responses in a more graphical way.
|
Pinging @elastic/ml-core (Team:ML) |
benwtrent
reviewed
Oct 28, 2021
| @@ -141,7 +141,7 @@ public void close() { | |||
| stop(); | |||
| } | |||
|
|
|||
| private synchronized void scheduleNext() { | |||
| private synchronized void scheduleNext() { | |||
There was a problem hiding this comment.
Suggested change
| private synchronized void scheduleNext() { | |
| private synchronized void scheduleNext() { |
benwtrent
approved these changes
Oct 28, 2021
droberts195
added
the
auto-backport-and-merge
droberts195
added a commit
to droberts195/elasticsearch
that referenced
this pull request
Oct 28, 2021
The machine_learning_admin and machine_learning_user roles in Elasticsearch also grant access to the ML pages in Kibana. At one time it was intended that this should change in 8.0, so that ML privileges in Kibana would be completely separate. However, our thinking has now changed. An administrator cannot give a user the Elasticsearch backend roles and expect Kibana privileges alone to then stop that user from using ML - the user could just switch to curl or even Kibana dev console (which uses backend privileges rather than Kibana privileges). So it's clearer what is really being permitted if the backend roles continue to allow access to the ML UI as well as the ML backend endpoints. There's nothing the user can see in the ML UI that they couldn't find out by calling ML Elasticsearch endpoints directly and rendering the responses in a more graphical way.
droberts195
added a commit
to droberts195/elasticsearch
that referenced
this pull request
Oct 28, 2021
The machine_learning_admin and machine_learning_user roles in Elasticsearch also grant access to the ML pages in Kibana. At one time it was intended that this should change in 8.0, so that ML privileges in Kibana would be completely separate. However, our thinking has now changed. An administrator cannot give a user the Elasticsearch backend roles and expect Kibana privileges alone to then stop that user from using ML - the user could just switch to curl or even Kibana dev console (which uses backend privileges rather than Kibana privileges). So it's clearer what is really being permitted if the backend roles continue to allow access to the ML UI as well as the ML backend endpoints. There's nothing the user can see in the ML UI that they couldn't find out by calling ML Elasticsearch endpoints directly and rendering the responses in a more graphical way.
elasticsearchmachine
pushed a commit
that referenced
this pull request
Oct 28, 2021
…0019) The machine_learning_admin and machine_learning_user roles in Elasticsearch also grant access to the ML pages in Kibana. At one time it was intended that this should change in 8.0, so that ML privileges in Kibana would be completely separate. However, our thinking has now changed. An administrator cannot give a user the Elasticsearch backend roles and expect Kibana privileges alone to then stop that user from using ML - the user could just switch to curl or even Kibana dev console (which uses backend privileges rather than Kibana privileges). So it's clearer what is really being permitted if the backend roles continue to allow access to the ML UI as well as the ML backend endpoints. There's nothing the user can see in the ML UI that they couldn't find out by calling ML Elasticsearch endpoints directly and rendering the responses in a more graphical way.
weizijun
added a commit
to weizijun/elasticsearch
that referenced
this pull request
Oct 28, 2021
…formance * upstream/master: (153 commits) [ML] update truncation default & adding field output when input is truncated (elastic#79942) [ML] stop using isAllowedByLicense for model license checks (elastic#79908) [ML] Retain built-in ML roles granting Kibana privileges (elastic#80014) [Transform] remove old mixed cluster BWC layers, not required for 8x (elastic#79927) Increase test timeout for CoordinatorTests testAllSearchesExecuted [Transform] add rolling upgrade tests for upgrade endpoint (elastic#79721) [ML] Update trained model docs for truncate parameter for bert tokenization (elastic#79652) `CoordinatorTests` sometimes needs three term bumps (elastic#79574) [ML] Account for service being triggered twice in tests (elastic#80000) SearchContext: remove unused variable (elastic#79917) Revert "Deprecate resolution loss on date field (elastic#78921)" (elastic#79914) Re-enable GeoIpDownloaderIT#testStartWithNoDatabases() (elastic#79907) Fix SnapshotBasedIndexRecoveryIT#testSeqNoBasedRecoveryIsUsedAfterPrimaryFailOver (elastic#79469) Fix RecoverySourceHandlerTests (elastic#79546) SQL: stabilize SqlSearchPageTimeoutIT (elastic#79928) Wait 3 seconds for the server to reload trust (elastic#79778) Skip automatically preserved request headers when rewriting (elastic#79973) Check whether stdout is a real console (elastic#79882) Convert remote license checker to use LicensedFeature (elastic#79876) Miscellaneous fixes for LDAP SDK v6 upgrade (elastic#79891) ... # Conflicts: # libs/x-content/src/main/java/org/elasticsearch/xcontent/support/filtering/FilterPath.java # libs/x-content/src/test/java/org/elasticsearch/xcontent/support/filtering/FilterPathGeneratorFilteringTests.java # libs/x-content/src/test/java/org/elasticsearch/xcontent/support/filtering/FilterPathTests.java
elasticsearchmachine
pushed a commit
that referenced
this pull request
Oct 28, 2021
…0018) The machine_learning_admin and machine_learning_user roles in Elasticsearch also grant access to the ML pages in Kibana. At one time it was intended that this should change in 8.0, so that ML privileges in Kibana would be completely separate. However, our thinking has now changed. An administrator cannot give a user the Elasticsearch backend roles and expect Kibana privileges alone to then stop that user from using ML - the user could just switch to curl or even Kibana dev console (which uses backend privileges rather than Kibana privileges). So it's clearer what is really being permitted if the backend roles continue to allow access to the ML UI as well as the ML backend endpoints. There's nothing the user can see in the ML UI that they couldn't find out by calling ML Elasticsearch endpoints directly and rendering the responses in a more graphical way. Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The machine_learning_admin and machine_learning_user roles
in Elasticsearch also grant access to the ML pages in Kibana.
At one time it was intended that this should change in 8.0,
so that ML privileges in Kibana would be completely separate.
However, our thinking has now changed. An administrator cannot
give a user the Elasticsearch backend roles and expect Kibana
privileges alone to then stop that user from using ML - the
user could just switch to curl or even Kibana dev console (which
uses backend privileges rather than Kibana privileges). So it's
clearer what is really being permitted if the backend roles
continue to allow access to the ML UI as well as the ML backend
endpoints. There's nothing the user can see in the ML UI that
they couldn't find out by calling ML Elasticsearch endpoints
directly and rendering the responses in a more graphical way.