mirror of
https://github.com/elastic/kibana.git
synced 2025-04-23 17:28:26 -04:00
52dd7e17c4
## Summary
This PR adds support for explicit indication whether endpoint is
restricted to operator only users.
### Context
1. If user has [all operator
privileges](https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/operator/DefaultOperatorOnlyRegistry.java#L35-#L53)
granted, but is not listed as operator in `operator_users.yml`, ES would
throw an unauthorized error.
2. If user is listed as operator in `operator_users.yml`, but doesn't
have necessary privileges granted, ES would throw an unauthorized error.
3. It’s not possible to determine if a user is operator via any ES API,
i.e. `_has_privileges`.
4. If operator privileges are disabled we skip the the check for it,
that's why we require to explicitly specify additional privileges to
ensure that the route is protected even when operator privileges are
disabled.
### Checklist
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
__Relates: https://github.com/elastic/kibana/issues/196271__
### How to test
1. Add your user to the operators list
|
||
|---|---|---|
| .. | ||
| performance | ||
| anatomy_of_a_plugin.mdx | ||
| api_authorization.mdx | ||
| audit_logging.mdx | ||
| building_blocks.mdx | ||
| data_views.mdx | ||
| embeddables.mdx | ||
| encrypted_saved_objects.mdx | ||
| feature_privileges.mdx | ||
| kibana_platform_plugin_intro.mdx | ||
| kibana_system_user.mdx | ||
| navigation.mdx | ||
| persistable_state.mdx | ||
| saved_objects.mdx | ||