Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All users should have read-only access to telemetry opt-in status #77246

Closed
legrego opened this issue Sep 10, 2020 · 1 comment · Fixed by #77390
Closed

All users should have read-only access to telemetry opt-in status #77246

legrego opened this issue Sep 10, 2020 · 1 comment · Fixed by #77390
Labels
bug Fixes for quality problems that affect the customer experience :Security/Feature Controls Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@legrego
Copy link
Member

legrego commented Sep 10, 2020

In the legacy platform, end-users did not need to read the current telemetry opt-in status, as this was handled server-side by the kibana_system user.

The new platform uses the end-user credentials to retrieve this information, which results in a 403 error for under privileged users. This is common for users with any level of "readonly" access to Kibana.

Kibana's "automatic privilege grants" should be updated so that read-only users also have access to the telemetry saved object type, similar to what we've done for users with all privileges assigned:

kibana/x-pack/plugins/features/server/feature_registry.ts

Lines 50 to 69 in bf04235

function applyAutomaticAllPrivilegeGrants(
...allPrivileges: Array<FeatureKibanaPrivileges | undefined>
) {
allPrivileges.forEach((allPrivilege) => {
if (allPrivilege) {
allPrivilege.savedObject.all = uniq([...allPrivilege.savedObject.all, 'telemetry']);
allPrivilege.savedObject.read = uniq([...allPrivilege.savedObject.read, 'config', 'url']);
}
});
}
function applyAutomaticReadPrivilegeGrants(
...readPrivileges: Array<FeatureKibanaPrivileges | undefined>
) {
readPrivileges.forEach((readPrivilege) => {
if (readPrivilege) {
readPrivilege.savedObject.read = uniq([...readPrivilege.savedObject.read, 'config', 'url']);
}
});
}

cc @rashmivkulkarni
@legrego legrego added bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! :Security/Feature Controls labels Sep 10, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@rashmivkulkarni rashmivkulkarni mentioned this issue Sep 14, 2020
Merged
@legrego legrego mentioned this issue Sep 14, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience :Security/Feature Controls Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add telemetry as an automatic privilege grant legrego/kibana
2 participants
@legrego @elasticmachine