Index Pattern modifications allowed even though "feature_indexPatterns" is set to "Read"

[AndrewMcQuerry]

Kibana version: 7.16.3
Elasticsearch version: 7.16.3
Server OS version: RHEL7

Browser version: n/a
Browser OS version: n/a

Original install method (e.g. download page, yum, from source, etc.): yum

Describe the bug: An Elasticsearch role with feature-level privileges defined for Kibana as shown below, allows the user to modify the Index Pattern through the workflow of Discover -> Select a field on the left -> Click the "pencil" icon to edit -> make changes via the "Edit field" dialog. That same user, when navigating to Stack Management -> Index Patterns -> select a pattern, is restricted for being able to edit any fields (as expected).

    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "feature_indexPatterns.read",
          "feature_savedObjectsManagement.all",
          ...

Steps to reproduce:

1. Create a role with feature level privileges as shown.
2. Assign to a user.
3. As that user, attempt to modify the "Custom Label" for a field via Discover -> fieldname -> pencil icon -> Edit field dialog.
4. Observe that the Custom Label is accepted and the Index Pattern is updated.
5. Navigate to Stack Management -> Index Patterns -> select the same pattern.
6. Observe that all editing functionality (pencils/buttons/etc) are not available to the user.

Similarly, swapping the read/all on those two privileges (so that indexPatterns is "all" and savedObjectsManagement is "read") also allows the Discover-based workflow to successfully modify a fields' custom label.

It appears so though "either" of these privileges provides ability to make changes to the Index Pattern via Discover -> field -> pencil -> Edit field workflow.

Expected behavior: It is expected that the "Discover -> field -> pencil -> Edit field" workflow should be governed 100% by the feature_indexPatterns privilege. -- or, said another way.. The fact that "Index Pattern Management" and "Saved Objects Management" each have "None/Read/All" privileges, implies that they are able to be controlled separately. Yet, in reality, it doesn't matter what you select for "Index Pattern Management" since the "Saved Object Management" can still override it.

At minimum, the bug here is the way that these two "features" are presented as separate items that have no bearing on each other.

Screenshots (if relevant): n/a

Errors in browser console (if relevant): n/a

Provide logs and/or server output (if relevant): n/a

Any additional context:

This is somewhat related to #49045 , yet I feel that the issue with the confusion between "Index Pattern Management" and "Saved Objects Management" in the UI and how that actually affects privileges on the back-end is a separate issue.

[AndrewMcQuerry]

Clarifying the Expectation

The "Edit Field" dialog should be governed by the ui:7.16.3:indexPatterns/save action. The best way to implement this would be to have the "pencil edit" icon in Discover hidden if that action is not granted to the user (same as how the Index Patterns UI appears to be deciding which buttons/icons to present to the user).

This action is the only UI difference between feature_indexPatterns.all and feature_indexPatterns.read.

If Discover were to also leverage this action, it would remove almost all concerns over a user being able to casually edit Index Patterns that they only have "read" access to. (even though the user may still have Index Pattern "import" ability via the Saved Objects privileges, it's unlikely that they're going to be exporting, manually editing json and then re-importing.)

[elasticmachine]

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

[jughosta]

Hi @AndrewMcQuerry ! Thanks for reporting and your suggestions!

I think the issues you described are similar to another ticket. We addressed it via #134582 for v8.3 and the upcoming v8.4.

[kertal]

Thx @AndrewMcQuerry for reporting, will close this because it was already addressed and won't be back ported to 7.x