Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[7.16] [ML] Retain built-in ML roles granting Kibana privileges (#80014) #80019

Merged
merged 1 commit into from
Oct 28, 2021
Merged

[7.16] [ML] Retain built-in ML roles granting Kibana privileges (#80014) #80019

merged 1 commit into from
Oct 28, 2021

Conversation

droberts195
Copy link
Contributor

Backports the following commits to 7.16:

@droberts195
[ML] Retain built-in ML roles granting Kibana privileges (elastic#80014)
dc528cc 
The machine_learning_admin and machine_learning_user roles
in Elasticsearch also grant access to the ML pages in Kibana.

At one time it was intended that this should change in 8.0,
so that ML privileges in Kibana would be completely separate.

However, our thinking has now changed. An administrator cannot
give a user the Elasticsearch backend roles and expect Kibana
privileges alone to then stop that user from using ML - the
user could just switch to curl or even Kibana dev console (which
uses backend privileges rather than Kibana privileges). So it's
clearer what is really being permitted if the backend roles
continue to allow access to the ML UI as well as the ML backend
endpoints. There's nothing the user can see in the ML UI that
they couldn't find out by calling ML Elasticsearch endpoints
directly and rendering the responses in a more graphical way.
@droberts195 droberts195 added auto-merge Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport labels Oct 28, 2021
@elasticsearchmachine elasticsearchmachine mentioned this pull request Oct 28, 2021
Merged
@elasticsearchmachine elasticsearchmachine merged commit b770435 into elastic:7.16 Oct 28, 2021
@droberts195 droberts195 deleted the backport/7.16/pr-80014 branch October 28, 2021 15:08
@danhermann danhermann added v7.16.0 and removed v7.16.1 labels Nov 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
auto-merge Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport v7.16.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@droberts195 @danhermann @elasticsearchmachine