-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Register kibana_dashboard_only_user and kibana_user roles deprecations in UA.
#110960
Merged
azasypkin
merged 13 commits into
elastic:7.x
from
azasypkin:issue-xxx-role-deprecations
Oct 18, 2021
Merged
Changes from all commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
19267a9
Register `kibana_dashboard_only_user` and `kibana_user` roles depreca…
azasypkin 9196893
Merge branch '7.x' into issue-xxx-role-deprecations
azasypkin 0c4ecd0
Review#1: improve deprecation messages.
azasypkin f0e3b24
Sync i18n labels with the same IDs.
azasypkin afb31ce
Merge branch '7.x' into issue-xxx-role-deprecations
azasypkin 7d9b3e5
Update test snapshots.
azasypkin 98f000a
Remove `in favor of` as suggested in the guidelines.
azasypkin 2c57ba7
Merge branch '7.x' into issue-xxx-role-deprecations
azasypkin 921aff2
Improve deprecation messages and use more appropriate documentation l…
azasypkin f4026be
Penalty for not being attentive enough.
azasypkin e88267b
Merge branch '7.x' into issue-xxx-role-deprecations
azasypkin 7fd0a88
Review#3: improve deprecation messages.
azasypkin 88fa862
Merge branch '7.x' into issue-xxx-role-deprecations
kibanamachine File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
322 changes: 322 additions & 0 deletions
322
x-pack/plugins/security/server/deprecations/kibana_dashboard_only_role.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,322 @@ | ||
| /* | ||
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| * or more contributor license agreements. Licensed under the Elastic License | ||
| * 2.0; you may not use this file except in compliance with the Elastic License | ||
| * 2.0. | ||
| */ | ||
|
|
||
| import { errors } from '@elastic/elasticsearch'; | ||
| import type { SecurityRoleMapping, SecurityUser } from '@elastic/elasticsearch/api/types'; | ||
|
|
||
| import type { PackageInfo, RegisterDeprecationsConfig } from 'src/core/server'; | ||
| import { | ||
| deprecationsServiceMock, | ||
| elasticsearchServiceMock, | ||
| loggingSystemMock, | ||
| savedObjectsClientMock, | ||
| } from 'src/core/server/mocks'; | ||
|
|
||
| import { licenseMock } from '../../common/licensing/index.mock'; | ||
| import { securityMock } from '../mocks'; | ||
| import { registerKibanaDashboardOnlyRoleDeprecation } from './kibana_dashboard_only_role'; | ||
|
|
||
| function getDepsMock() { | ||
| return { | ||
| logger: loggingSystemMock.createLogger(), | ||
| deprecationsService: deprecationsServiceMock.createSetupContract(), | ||
| license: licenseMock.create(), | ||
| packageInfo: { | ||
| branch: 'some-branch', | ||
| buildSha: 'sha', | ||
| dist: true, | ||
| version: '8.0.0', | ||
| buildNum: 1, | ||
| } as PackageInfo, | ||
| }; | ||
| } | ||
|
|
||
| function getContextMock() { | ||
| return { | ||
| esClient: elasticsearchServiceMock.createScopedClusterClient(), | ||
| savedObjectsClient: savedObjectsClientMock.create(), | ||
| }; | ||
| } | ||
|
|
||
| function createMockUser(user: Partial<SecurityUser> = {}) { | ||
| return { enabled: true, username: 'userA', roles: ['roleA'], metadata: {}, ...user }; | ||
| } | ||
|
|
||
| function createMockRoleMapping(mapping: Partial<SecurityRoleMapping> = {}) { | ||
| return { enabled: true, roles: ['roleA'], rules: {}, metadata: {}, ...mapping }; | ||
| } | ||
|
|
||
| describe('Kibana Dashboard Only User role deprecations', () => { | ||
| let mockDeps: ReturnType<typeof getDepsMock>; | ||
| let mockContext: ReturnType<typeof getContextMock>; | ||
| let deprecationHandler: RegisterDeprecationsConfig; | ||
| beforeEach(() => { | ||
| mockContext = getContextMock(); | ||
| mockDeps = getDepsMock(); | ||
| registerKibanaDashboardOnlyRoleDeprecation(mockDeps); | ||
|
|
||
| expect(mockDeps.deprecationsService.registerDeprecations).toHaveBeenCalledTimes(1); | ||
| deprecationHandler = mockDeps.deprecationsService.registerDeprecations.mock.calls[0][0]; | ||
| }); | ||
|
|
||
| it('does not return any deprecations if security is not enabled', async () => { | ||
| mockDeps.license.isEnabled.mockReturnValue(false); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toEqual([]); | ||
| expect(mockContext.esClient.asCurrentUser.security.getUser).not.toHaveBeenCalled(); | ||
| expect(mockContext.esClient.asCurrentUser.security.getRoleMapping).not.toHaveBeenCalled(); | ||
| }); | ||
|
|
||
| it('does not return any deprecations if none of the users and role mappings has a dashboard only role', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { userA: createMockUser() } }) | ||
| ); | ||
|
|
||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockResolvedValue( | ||
| securityMock.createApiResponse({ | ||
| body: { | ||
| mappingA: { enabled: true, roles: ['roleA'], rules: {}, metadata: {} }, | ||
| }, | ||
| }) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toEqual([]); | ||
| }); | ||
|
|
||
| it('returns deprecations even if cannot retrieve users due to permission error', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockRejectedValue( | ||
| new errors.ResponseError(securityMock.createApiResponse({ statusCode: 403, body: {} })) | ||
| ); | ||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { mappingA: createMockRoleMapping() } }) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Make sure you have a \\"manage_security\\" cluster privilege assigned.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "documentationUrl": "https://www.elastic.co/guide/en/kibana/some-branch/xpack-security.html#_required_permissions_7", | ||
| "level": "fetch_error", | ||
| "message": "You do not have enough permissions to fix this deprecation.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is deprecated", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
|
|
||
| it('returns deprecations even if cannot retrieve users due to unknown error', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockRejectedValue( | ||
| new errors.ResponseError(securityMock.createApiResponse({ statusCode: 500, body: {} })) | ||
| ); | ||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { mappingA: createMockRoleMapping() } }) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Check Kibana logs for more details.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "level": "fetch_error", | ||
| "message": "Failed to perform deprecation check. Check Kibana logs for more details.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is deprecated", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
|
|
||
| it('returns deprecations even if cannot retrieve role mappings due to permission error', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { userA: createMockUser() } }) | ||
| ); | ||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockRejectedValue( | ||
| new errors.ResponseError(securityMock.createApiResponse({ statusCode: 403, body: {} })) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Make sure you have a \\"manage_security\\" cluster privilege assigned.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "documentationUrl": "https://www.elastic.co/guide/en/kibana/some-branch/xpack-security.html#_required_permissions_7", | ||
| "level": "fetch_error", | ||
| "message": "You do not have enough permissions to fix this deprecation.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is deprecated", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
|
|
||
| it('returns deprecations even if cannot retrieve role mappings due to unknown error', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { userA: createMockUser() } }) | ||
| ); | ||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockRejectedValue( | ||
| new errors.ResponseError(securityMock.createApiResponse({ statusCode: 500, body: {} })) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Check Kibana logs for more details.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "level": "fetch_error", | ||
| "message": "Failed to perform deprecation check. Check Kibana logs for more details.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is deprecated", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
|
|
||
| it('returns only user-related deprecations', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockResolvedValue( | ||
| securityMock.createApiResponse({ | ||
| body: { | ||
| userA: createMockUser({ username: 'userA', roles: ['roleA'] }), | ||
| userB: createMockUser({ | ||
| username: 'userB', | ||
| roles: ['roleB', 'kibana_dashboard_only_user'], | ||
| }), | ||
| userC: createMockUser({ username: 'userC', roles: ['roleC'] }), | ||
| userD: createMockUser({ username: 'userD', roles: ['kibana_dashboard_only_user'] }), | ||
| }, | ||
| }) | ||
| ); | ||
|
|
||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { mappingA: createMockRoleMapping() } }) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Create a custom role with Kibana privileges to grant access to Dashboard only.", | ||
| "Remove the \\"kibana_dashboard_only_user\\" role from all users and add the custom role. The affected users are: userB, userD.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "documentationUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/some-branch/built-in-roles.html", | ||
| "level": "warning", | ||
| "message": "Users with the \\"kibana_dashboard_only_user\\" role will not be able to access the Dashboard app. Use Kibana privileges instead.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is deprecated", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
|
|
||
| it('returns only role-mapping-related deprecations', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { userA: createMockUser() } }) | ||
| ); | ||
|
|
||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockResolvedValue( | ||
| securityMock.createApiResponse({ | ||
| body: { | ||
| mappingA: createMockRoleMapping({ roles: ['roleA'] }), | ||
| mappingB: createMockRoleMapping({ roles: ['roleB', 'kibana_dashboard_only_user'] }), | ||
| mappingC: createMockRoleMapping({ roles: ['roleC'] }), | ||
| mappingD: createMockRoleMapping({ roles: ['kibana_dashboard_only_user'] }), | ||
| }, | ||
| }) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Create a custom role with Kibana privileges to grant access to Dashboard only.", | ||
| "Remove the \\"kibana_dashboard_only_user\\" role from all role mappings and add the custom role. The affected role mappings are: mappingB, mappingD.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "documentationUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/some-branch/built-in-roles.html", | ||
| "level": "warning", | ||
| "message": "Users with the \\"kibana_dashboard_only_user\\" role will not be able to access the Dashboard app. Use Kibana privileges instead.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is deprecated", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
|
|
||
| it('returns both user-related and role-mapping-related deprecations', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockResolvedValue( | ||
| securityMock.createApiResponse({ | ||
| body: { | ||
| userA: createMockUser({ username: 'userA', roles: ['roleA'] }), | ||
| userB: createMockUser({ | ||
| username: 'userB', | ||
| roles: ['roleB', 'kibana_dashboard_only_user'], | ||
| }), | ||
| userC: createMockUser({ username: 'userC', roles: ['roleC'] }), | ||
| userD: createMockUser({ username: 'userD', roles: ['kibana_dashboard_only_user'] }), | ||
| }, | ||
| }) | ||
| ); | ||
|
|
||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockResolvedValue( | ||
| securityMock.createApiResponse({ | ||
| body: { | ||
| mappingA: createMockRoleMapping({ roles: ['roleA'] }), | ||
| mappingB: createMockRoleMapping({ roles: ['roleB', 'kibana_dashboard_only_user'] }), | ||
| mappingC: createMockRoleMapping({ roles: ['roleC'] }), | ||
| mappingD: createMockRoleMapping({ roles: ['kibana_dashboard_only_user'] }), | ||
| }, | ||
| }) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Create a custom role with Kibana privileges to grant access to Dashboard only.", | ||
| "Remove the \\"kibana_dashboard_only_user\\" role from all users and add the custom role. The affected users are: userB, userD.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "documentationUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/some-branch/built-in-roles.html", | ||
| "level": "warning", | ||
| "message": "Users with the \\"kibana_dashboard_only_user\\" role will not be able to access the Dashboard app. Use Kibana privileges instead.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is deprecated", | ||
| }, | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Create a custom role with Kibana privileges to grant access to Dashboard only.", | ||
| "Remove the \\"kibana_dashboard_only_user\\" role from all role mappings and add the custom role. The affected role mappings are: mappingB, mappingD.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "documentationUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/some-branch/built-in-roles.html", | ||
| "level": "warning", | ||
| "message": "Users with the \\"kibana_dashboard_only_user\\" role will not be able to access the Dashboard app. Use Kibana privileges instead.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is deprecated", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
| }); | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️ I was worried that an error would prevent UA from surfacing the other deprecations, but this test assuages that concern.