Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Breaking change] kibana_user role removed and replaced by kibana_admin #81674

Open
kobelb opened this issue Oct 26, 2020 · 3 comments
Open

[Breaking change] kibana_user role removed and replaced by kibana_admin #81674

kobelb opened this issue Oct 26, 2020 · 3 comments
Labels
Breaking Change NeededFor:Security Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@kobelb
Copy link
Contributor

kobelb commented Oct 26, 2020
edited
Loading

Change description

Which release will ship the breaking change?

8.0

Describe the change. How will it manifest to users?

The kibana_user role has been removed, and users should use the kibana_admin role instead. Users who are still assigned the kibana_user role will no longer be granted those privileges and will be unable to login and use Kibana.

How many users will be affected?

There are likely a considerable number of deployments that are still using the kibana_user role. It was the primary method of granting users access to Kibana prior to Spaces and the granular RBAC work. Additionally, the kibana_admin role was introduced mid-7.x.

What can users do to address the change manually?

Use Kibana's user management to change all users who are granted the kibana_user role to now use the kibana_admin role. Use Kibana's role-mapping management to change all role-mappings which assign the kibana_user role to now assign the kibana_admin role.

How could we make migration easier with the Upgrade Assistant?

If we could automatically migrate users and role-mappings to use kibana_admin instead of kibana_user, it'd eliminate this burden

Are there any edge cases?

No

Test Data

Provide test data. We can’t build a solution without data to test it against.

POST /_security/user/old_user
{
  "password" : "password",
  "roles" : [ "kibana_user" ],
  "full_name" : "Kibana User"
}

POST /_security/role_mapping/old_role_mapping
{
  "roles": [ "kibana_user"],
  "enabled": true, 
  "rules": {
    "field" : { "username" : "*" }
  }
}

Cross links

N/A
@kobelb kobelb added Team:Kibana Management Dev Tools, Index Management, Upgrade Assistant, ILM, Ingest Node Pipelines, and more Feature:Upgrade Assistant labels Oct 26, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/es-ui (Team:Elasticsearch UI)

@kobelb kobelb changed the title [Breaking change] Remove kibana_user role, replaced with kibana_admin role. [Breaking change] Remove kibana_user role, replaced by kibana_admin role. Oct 26, 2020
@kobelb kobelb mentioned this issue Oct 26, 2020
Merged
@kobelb kobelb changed the title [Breaking change] Remove kibana_user role, replaced by kibana_admin role. [Breaking change] Remove kibana_user role (replaced by kibana_admin role) Oct 26, 2020
@kobelb kobelb changed the title [Breaking change] Remove kibana_user role (replaced by kibana_admin role) [Breaking change] kibana_user role removed and replaced by kibana_admin Oct 26, 2020
@legrego legrego added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Nov 3, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@kobelb kobelb mentioned this issue Dec 14, 2020
Closed
@alisonelizabeth
Copy link
Contributor

I'm going to remove the Elasticsearch UI team label. This deprecation should be registered by the plugin owner via the core deprecations service (#94845). All registered deprecations will be displayed in the Upgrade Assistant (to be implemented via #97159). Feel free to reach out to myself or the core team with any questions!

@alisonelizabeth alisonelizabeth removed the Team:Kibana Management Dev Tools, Index Management, Upgrade Assistant, ILM, Ingest Node Pipelines, and more label Apr 19, 2021
@alisonelizabeth alisonelizabeth mentioned this issue May 3, 2021
Closed
@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort labels Aug 5, 2021
@cjcenizal cjcenizal mentioned this issue Aug 18, 2021
Closed
@jportner jportner mentioned this issue Sep 3, 2021
Closed
@legrego legrego removed EnableJiraSync loe:small Small Level of Effort impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Aug 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Breaking Change NeededFor:Security Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kobelb @legrego @alisonelizabeth @elasticmachine