kibana

github-mirrors/kibana

Fork 0

mirror of https://github.com/elastic/kibana.git synced 2025-04-21 00:13:52 -04:00

Commit graph

Author	SHA1	Message	Date
Joe Reuter	fd374463f7	🌊 Streams: Permission handling (#217353 ) Currently, the streams UI doesn't deal well with partial permissions. This PR improves that. As a lot of things come together in streams, we could do even better, but I think it's OK to draw a line somewhere. The logic is now as follows: When reading a stream, the privileges of the current user are returned along with the stream itself. These are grouped like this: ``` interface IngestStreamPrivileges { // User can change everything about the stream manage: boolean; // User can read stats (like size in bytes) about the stream monitor: boolean; // User can change the retention policy of the stream lifecycle: boolean; // User can simulate changes to the processing or the mapping of the stream simulate: boolean; } ``` This is part of the definition response and is passed around to the components and disabled buttons and similar in the places where this is necessary. The "advanced" tab is only shown when full `manage` permissions are present - there constellations of permissions that would allow some access but not all (e.g. having `read_pipelines` but not `manage_index_templates`), but these should be rather rare and not worth the additional effort. ## Conditions In the following places privileges are checked: * Overview * Without `monitor`, the overall stats are not shown * Enrichment * Without `manage`, you can't save changes * Without `simulate`, the UI is readonly * Partitioning * Without `manage`, you can't save changes * Without `simulate`, the UI is readonly * Schema editor * Without `manage`, the UI is readonly * Retention * Without `monitor`, the ingest stats are not shown * Without `lifecycle`, the retention can't be changed and ILM breakdown is not rendered * Advanced * Without `manage`, the tab is hidden completely ## Drive-by fix I noticed that we still register the app header action menu which adds an empty bar on serverless, removed that code. ## Testing Check https://github.com/elastic/kibana/pull/217353/files#diff-d8f33d7021058bf90cbeea908bf399da2af50d8b8bfac8a07f160ddc0cdff12bR747 for which Elasticsearch level privileges you need for different permutations. Then set up a role and a user and log in as that user. Also test the different pre-defined roles on serverless.	2025-04-08 15:42:29 +02:00

Author

SHA1

Message

Date

Joe Reuter

fd374463f7

🌊 Streams: Permission handling (#217353 )

Currently, the streams UI doesn't deal well with partial permissions.
This PR improves that. As a lot of things come together in streams, we
could do even better, but I think it's OK to draw a line somewhere.

The logic is now as follows:
When reading a stream, the privileges of the current user are returned
along with the stream itself. These are grouped like this:
```
interface IngestStreamPrivileges {
  // User can change everything about the stream
  manage: boolean;
  // User can read stats (like size in bytes) about the stream
  monitor: boolean;
  // User can change the retention policy of the stream
  lifecycle: boolean;
  // User can simulate changes to the processing or the mapping of the stream
  simulate: boolean;
}
```

This is part of the definition response and is passed around to the
components and disabled buttons and similar in the places where this is
necessary.

The "advanced" tab is only shown when full `manage` permissions are
present - there constellations of permissions that would allow some
access but not all (e.g. having `read_pipelines` but not
`manage_index_templates`), but these should be rather rare and not worth
the additional effort.

## Conditions

In the following places privileges are checked:
* Overview
  * Without `monitor`, the overall stats are not shown
* Enrichment
  * Without `manage`, you can't save changes
  * Without `simulate`, the UI is readonly
* Partitioning
  * Without `manage`, you can't save changes
  * Without `simulate`, the UI is readonly
* Schema editor
  * Without `manage`, the UI is readonly
* Retention
  * Without `monitor`, the ingest stats are not shown
* Without `lifecycle`, the retention can't be changed and ILM breakdown
is not rendered
* Advanced
  * Without `manage`, the tab is hidden completely

## Drive-by fix

I noticed that we still register the app header action menu which adds
an empty bar on serverless, removed that code.

## Testing

Check
https://github.com/elastic/kibana/pull/217353/files#diff-d8f33d7021058bf90cbeea908bf399da2af50d8b8bfac8a07f160ddc0cdff12bR747
for which Elasticsearch level privileges you need for different
permutations. Then set up a role and a user and log in as that user.

Also test the different pre-defined roles on serverless.

2025-04-08 15:42:29 +02:00

1 commit