[Spaces] Users able to login to any Space without permissions

[magicpotion]

Kibana version:
6.5.0

Describe the bug:
Space privileges not working, users can still login to Space they don't have permissions.
I would consider it a critical bug, if you released this feature already.

Expected behavior:
Users will not see Spaces, they don't have permissions for

What User see after login:

[elasticmachine]

Pinging @elastic/kibana-security

[legrego]

Hey @magicpotion,
I'm not able to reproduce this behavior. Is this user assigned multiple roles? If this user also has the kibana_user role for example, then they will have access to all spaces within Kibana, regardless of what their other roles dictate.

Can you try assigning this user just the one role, and see if that works as you expect?

[magicpotion]

@legrego
there's only kibana_dashboard_only_user role assigned, if I don't assign any role, user just can't login.
How else should I assign roles for users so they are able to see dashboards, but only in the Space, that they are authorized to use?

Besides, securitywise shouldn't explicitly set privilege None on a Space, take precedence above anything else?

[legrego]

@magicpotion,

The kibana_dashboard_only_user role always grants the user access to all spaces:

How else should I assign roles for users so they are able to see dashboards, but only in the Space, that they are authorized to use?

To create a dashboard-only role that is restricted to a specific space (or spaces):

1. Create the role as you normally would:
   
2. Assign user to that role:
   
3. Go to the space you want the user to have access to, and navigate to Advanced Settings. Edit the "Dashboard only roles" to include the new role you created in step 1:
   
4. Test by logging in as this new user, and see that they only have access to a single space, in dashboard-only mode:
   

Besides, securitywise shouldn't explicitly set privilege None on a Space, take precedence above anything else?

Kibana privileges follow an additive security model, which is consistent with our cluster and index privileges. So if a user has two roles granted, one with access to all spaces, and one with access to no spaces, then the user will have access to all spaces. The lack of privileges in one role will not negate the privileges granted by another role.

[magicpotion]

@legrego ok, it is indeed working as expected. thanks

I don't think this process is very clear though, I'd wish you could improve it.

[kobelb]

Hey @magicpotion, is it primarily the additive nature of the roles and their privileges that you find confusing, or that kibana_user and kibana_dashboard_only users automatically have access to all created Spaces?

[legrego]

Great, I'm glad it's working for you! I've opened #25721 so we can improve the documentation around this functionality.

I'm going to close this since everything is working as designed, but feel free to respond if you have more to add to the conversation 👍

[magicpotion]

I think the real problem is that I wasn't aware of the setting dashboard only roles and that I can create such roles, I think it would be useful to at least have a link to it from Edit Role | Kibana, since it's related to roles, or some kind of indication, that such setting exist.

[kobelb]

@magicpotion that makes sense, thanks for the feedback!

[francisca-lima]

Hello. I created a new space and defined these settings, however it is not working. In the left bar, not only appears "Dashboard", but everything else. Any idea? Thank you.

[legrego]

@francisca-lima what roles do you have assigned to your user? Are any of these roles defined as "Dashboard only mode" roles in the Advanced Settings for your particular space?

I'd suggest posting in our discussion boards if you need more assistance: https://discuss.elastic.co/c/kibana

[francisca-lima]

@francisca-lima what roles do you have assigned to your user? Are any of these roles defined as "Dashboard only mode" roles in the Advanced Settings for your particular space?

I'd suggest posting in our discussion boards if you need more assistance: https://discuss.elastic.co/c/kibana

The one that I created for this purpose, the my_custom_dashboard_only_role. Any other idea?

[francisca-lima]

I forgot to set this setting in each space, my bad!