[BeatsCM] Allow for config based override of default user role (#25364)

* Allow for config based override of default user role * [beats-cm] convert xpack.beats.defaultUserRole to array of roles * [beats-cm] keep this context in #checkLicense
2025-04-24 17:59:23 -04:00 · 2018-11-08 07:12:54 -05:00 · 2018-11-08 07:12:54 -05:00 · 03d1597903
commit 03d1597903
parent aa61b7a88f
5 changed files with 25 additions and 3 deletions
--- a/x-pack/plugins/beats_management/index.ts
+++ b/x-pack/plugins/beats_management/index.ts
@ -13,6 +13,9 @@ const DEFAULT_ENROLLMENT_TOKENS_TTL_S = 10 * 60; // 10 minutes
 export const config = Joi.object({
  enabled: Joi.boolean().default(true),
  encryptionKey: Joi.string(),
+  defaultUserRoles: Joi.array()
+    .items(Joi.string())
+    .default(['superuser']),
  enrollmentTokensTtlInSeconds: Joi.number()
    .integer()
    .min(1)
--- a/x-pack/plugins/beats_management/public/lib/adapters/framework/kibana_framework_adapter.ts
+++ b/x-pack/plugins/beats_management/public/lib/adapters/framework/kibana_framework_adapter.ts
@ -80,6 +80,14 @@ export class KibanaFrameworkAdapter implements FrameworkAdapter {
    return this.xpackInfo.get('features.beats_management.securityEnabled', false);
  }

+  public getDefaultUserRoles() {
+    if (!this.xpackInfo) {
+      return [];
+    }
+
+    return this.xpackInfo.get('features.beats_management.defaultUserRoles');
+  }
+
  public getCurrentUser() {
    try {
      return this.shieldUser;
--- a/x-pack/plugins/beats_management/public/lib/lib.ts
+++ b/x-pack/plugins/beats_management/public/lib/lib.ts
@ -45,6 +45,7 @@ export interface FrameworkAdapter {
  kbnVersion?: string;
  baseURLPath: string;
  registerManagementSection(pluginId: string, displayName: string, basePath: string): void;
+  getDefaultUserRoles(): string[];
  // Methods
  getCurrentUser(): {
    email: string | null;
--- a/x-pack/plugins/beats_management/public/router.tsx
+++ b/x-pack/plugins/beats_management/public/router.tsx
@ -42,7 +42,9 @@ export const PageRouter: React.SFC<{ libs: FrontendLibs }> = ({ libs }) => {
          {!libs.framework.securityEnabled() && <Route render={() => <EnforceSecurityPage />} />}
          {!libs.framework.getCurrentUser() ||
            (!libs.framework.getCurrentUser().roles.includes('beats_admin') &&
-              !libs.framework.getCurrentUser().roles.includes('superuser') && (
+              !libs.framework
+                .getDefaultUserRoles()
+                .some(r => libs.framework.getCurrentUser().roles.includes(r)) && (
                <Route render={() => <NoAccessPage />} />
              ))}
          <Route
--- a/x-pack/plugins/beats_management/server/lib/adapters/framework/kibana_framework_adapter.ts
+++ b/x-pack/plugins/beats_management/server/lib/adapters/framework/kibana_framework_adapter.ts
@ -47,7 +47,7 @@ export class KibanaBackendFrameworkAdapter implements BackendFrameworkAdapter {
      // to re-compute the license check results for this plugin
      xpackMainPlugin.info
        .feature(PLUGIN.ID)
-        .registerLicenseCheckResultsGenerator(this.checkLicense);
+        .registerLicenseCheckResultsGenerator((xPackInfo: any) => this.checkLicense(xPackInfo));
    });
  }
  // TODO make base path a constructor level param
@ -77,6 +77,9 @@ export class KibanaBackendFrameworkAdapter implements BackendFrameworkAdapter {
    RouteRequest extends FrameworkWrappableRequest,
    RouteResponse extends FrameworkResponse
  >(route: FrameworkRouteOptions<RouteRequest, RouteResponse>) {
+    const hasAny = (roles: string[], requiredRoles: string[]) =>
+      requiredRoles.some(r => roles.includes(r));
+
    const wrappedHandler = (licenseRequired: boolean, requiredRoles?: string[]) => async (
      request: any,
      h: any
@ -98,7 +101,8 @@ export class KibanaBackendFrameworkAdapter implements BackendFrameworkAdapter {

        if (
          wrappedRequest.user.kind === 'authenticated' &&
-          (!wrappedRequest.user.roles.includes('superuser') || !wrappedRequest.user.roles) &&
+          (!hasAny(wrappedRequest.user.roles, this.getSetting('xpack.beats.defaultUserRoles')) ||
+            !wrappedRequest.user.roles) &&
          difference(requiredRoles, wrappedRequest.user.roles).length !== 0
        ) {
          return h.response().code(403);
@ -160,6 +164,7 @@ export class KibanaBackendFrameworkAdapter implements BackendFrameworkAdapter {
    // License is not valid
    if (!isLicenseValid) {
      return {
+        defaultUserRoles: this.getSetting('xpack.beats.defaultUserRoles'),
        securityEnabled: true,
        licenseValid: false,
        licenseExpired: false,
@ -170,6 +175,7 @@ export class KibanaBackendFrameworkAdapter implements BackendFrameworkAdapter {
    // License is valid but not active, we go into a read-only mode.
    if (!isLicenseActive) {
      return {
+        defaultUserRoles: this.getSetting('xpack.beats.defaultUserRoles'),
        securityEnabled: true,
        licenseValid: true,
        licenseExpired: true,
@ -183,6 +189,7 @@ export class KibanaBackendFrameworkAdapter implements BackendFrameworkAdapter {
        'Security must be enabled in order to use Beats central management features.' +
        ' Please set xpack.security.enabled: true in your elasticsearch.yml.';
      return {
+        defaultUserRoles: this.getSetting('xpack.beats.defaultUserRoles'),
        securityEnabled: false,
        licenseValid: true,
        licenseExpired: false,
@ -193,6 +200,7 @@ export class KibanaBackendFrameworkAdapter implements BackendFrameworkAdapter {

    // License is valid and active
    return {
+      defaultUserRoles: this.getSetting('xpack.beats.defaultUserRoles'),
      securityEnabled: true,
      licenseValid: true,
      licenseExpired: false,