[Feature Control] Ability to hide Management application completely #35040
Comments
AlonaNadler
added
the
Feature:Security/Feature Controls
|
Pinging @elastic/kibana-security |
|
For posterity, I want to document the reasons why we don't currently have support for this. Nothing here is insurmountable, but it adds complexity that we weren't comfortable taking on for the initial release of Feature Controls:
|
|
Hiding the management application seems to be one of the most common requests around hiding/restricting applications. @legrego you raised good points, given that there is complexity in this request, maybe there are alternatives
For users who use security, usually admins set the privileges and can disable the management application to end users, is it possible to keep management always on for all superusers?
If reporting was no longer in management, will it be easier to hide management application completely? |
If we only enabled this toggle on the Role Management screen, then we could support something like this, but having it available in Spaces too complicates it further.
That's an interesting thought. Do you think we could get away with always restricting the default space in this way?
It would help a bit. We'd have to figure out what to do with the apps that redirect for index pattern management too, but that's not a huge task I don't think. Where do you envision reporting living? |
Since to hide management is a common request going might be worth it. With this approach, basic users will not be able to hide the entire management application in the default space.
Management app becoming more and more the place to manage the entire stack, Im not sure reporting should stay there, end users that are mainly exploring and visualizing the data often don't need anything in the management app beside reporting |
That makes sense to me.
I'm struggling to see how we can make this work with the read/write privileges that we assign on the Role Management screen today. Most of the Management screen relies on ES Cluster Privileges to function, which aren't supported by the read/write privileges we grant today. So it wouldn't make sense to grant "readonly" or "read/write" access to Management as a whole, as it would only be able to control a few Kibana screens, namely Saved Objects and Index Patterns. The rest of the screens are controlled by other privileges, which might confuse users even more. I think to get to the point where we can hide Management in a logical manner w/ security, we first need the ability to hide management screens based on the user's cluster privileges. At that point, we can make more intelligent decisions about when to show/hide the Management app.
I completely agree. We just need to figure out where reporting should actually live, and then move it there. |
|
After further discussion, we're planning on hiding the management tab when there are no management "sections" available. We've broken this down into the following explicit issues:
|
|
#63443 will move Discover, Visualize, Dashboard, Lens and Dev Tools to the new platform where they become separate applications (currently they are all wrapped up in the This worsens a problem which already exists today: When a user doesn't have a role granting them access to the |
|
(full disclosure: I haven't looked at #63443) Most features will grant access to the If management is still under the |
legrego
added
the
Team:Security
|
@legrego OK so you think in that PR I should just keep the |
|
Yes I would keep that privilege for the time being |
|
@legrego Hm, I just tried that but somehow it doesn't work. When I list two apps for each of those features, it becomes impossible to disable them via feature controls. Maybe I'm doing something wrong. Everything works fine (except for the thing with management 404ing) {
id: 'dev_tools',
name: i18n.translate('xpack.features.devToolsFeatureName', {
defaultMessage: 'Dev Tools',
}),
order: 1300,
icon: 'devToolsApp',
navLinkId: 'dev_tools',
app: ['dev_tools'],
catalogue: ['console', 'searchprofiler', 'grokdebugger'],
privileges: {
all: {
app: ['dev_tools'],
catalogue: ['console', 'searchprofiler', 'grokdebugger'],
api: ['console'],
savedObject: {
all: [],
read: [],
},
ui: ['show', 'save'],
},
read: {
app: ['dev_tools'],
catalogue: ['console', 'searchprofiler', 'grokdebugger'],
api: ['console'],
savedObject: {
all: [],
read: [],
},
ui: ['show'],
},
},
privilegesTooltip: i18n.translate('xpack.features.devToolsPrivilegesTooltip', {
defaultMessage:
'User should also be granted the appropriate Elasticsearch cluster and index privileges',
}),
},Dev tools is always accessible, no matter what: {
id: 'dev_tools',
name: i18n.translate('xpack.features.devToolsFeatureName', {
defaultMessage: 'Dev Tools',
}),
order: 1300,
icon: 'devToolsApp',
navLinkId: 'dev_tools',
app: ['dev_tools', 'kibana'],
catalogue: ['console', 'searchprofiler', 'grokdebugger'],
privileges: {
all: {
app: ['dev_tools', 'kibana'],
catalogue: ['console', 'searchprofiler', 'grokdebugger'],
api: ['console'],
savedObject: {
all: [],
read: [],
},
ui: ['show', 'save'],
},
read: {
app: ['dev_tools', 'kibana'],
catalogue: ['console', 'searchprofiler', 'grokdebugger'],
api: ['console'],
savedObject: {
all: [],
read: [],
},
ui: ['show'],
},
},
privilegesTooltip: i18n.translate('xpack.features.devToolsPrivilegesTooltip', {
defaultMessage:
'User should also be granted the appropriate Elasticsearch cluster and index privileges',
}),
}, |
Currently, with FC users will be able to hide/restrict certain features within management like
index patternsandadvanced setting, the rest of the options including all ES, Ingest and Kibana will be available even if the users don't have a privilege to use them and there is no way to hide/restrict the entire management application.The ask is to be able to hide and restrict management application completely as part of Feature Control.
The text was updated successfully, but these errors were encountered: