github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-20 07:48:52 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/.swn
Joe Reuter fd374463f7
🌊 Streams: Permission handling (#217353) 
Currently, the streams UI doesn't deal well with partial permissions.
This PR improves that. As a lot of things come together in streams, we
could do even better, but I think it's OK to draw a line somewhere.

The logic is now as follows:
When reading a stream, the privileges of the current user are returned
along with the stream itself. These are grouped like this:
```
interface IngestStreamPrivileges {
  // User can change everything about the stream
  manage: boolean;
  // User can read stats (like size in bytes) about the stream
  monitor: boolean;
  // User can change the retention policy of the stream
  lifecycle: boolean;
  // User can simulate changes to the processing or the mapping of the stream
  simulate: boolean;
}
```

This is part of the definition response and is passed around to the
components and disabled buttons and similar in the places where this is
necessary.

The "advanced" tab is only shown when full `manage` permissions are
present - there constellations of permissions that would allow some
access but not all (e.g. having `read_pipelines` but not
`manage_index_templates`), but these should be rather rare and not worth
the additional effort.

## Conditions

In the following places privileges are checked:
* Overview
  * Without `monitor`, the overall stats are not shown
* Enrichment
  * Without `manage`, you can't save changes
  * Without `simulate`, the UI is readonly
* Partitioning
  * Without `manage`, you can't save changes
  * Without `simulate`, the UI is readonly
* Schema editor
  * Without `manage`, the UI is readonly
* Retention
  * Without `monitor`, the ingest stats are not shown
* Without `lifecycle`, the retention can't be changed and ILM breakdown
is not rendered
* Advanced
  * Without `manage`, the tab is hidden completely

## Drive-by fix

I noticed that we still register the app header action menu which adds
an empty bar on serverless, removed that code.

## Testing

Check
https://github.com/elastic/kibana/pull/217353/files#diff-d8f33d7021058bf90cbeea908bf399da2af50d8b8bfac8a07f160ddc0cdff12bR747
for which Elasticsearch level privileges you need for different
permutations. Then set up a role and a user and log in as that user.

Also test the different pre-defined roles on serverless.
2025-04-08 15:42:29 +02:00

12 KiB
Raw Permalink History

View raw