[Logs UI] Return 403s rather than 500s for ML privilege errors (#74506)

* Add ML privileges error checks to all routes
elastic · Aug 12, 2020 · 2e38f5a · 2e38f5a
1 parent 7f33e72
commit 2e38f5a
Show file tree

Hide file tree

Showing 9 changed files with 93 additions and 2 deletions.
diff --git a/x-pack/plugins/infra/server/lib/log_analysis/errors.ts b/x-pack/plugins/infra/server/lib/log_analysis/errors.ts
@@ -6,6 +6,12 @@
 
 /* eslint-disable max-classes-per-file */
 
+import {
+  UnknownMLCapabilitiesError,
+  InsufficientMLCapabilities,
+  MLPrivilegesUninitialized,
+} from '../../../../ml/server';
+
 export class NoLogAnalysisMlJobError extends Error {
   constructor(message?: string) {
     super(message);
@@ -33,3 +39,11 @@ export class InsufficientAnomalyMlJobsConfigured extends Error {
     Object.setPrototypeOf(this, new.target.prototype);
   }
 }
+
+export const isMlPrivilegesError = (error: any) => {
+  return (
+    error instanceof UnknownMLCapabilitiesError ||
+    error instanceof InsufficientMLCapabilities ||
+    error instanceof MLPrivilegesUninitialized
+  );
+};
diff --git a/x-pack/plugins/infra/server/lib/log_analysis/log_entry_anomalies.ts b/x-pack/plugins/infra/server/lib/log_analysis/log_entry_anomalies.ts
@@ -25,6 +25,7 @@ import {
   InsufficientAnomalyMlJobsConfigured,
   InsufficientLogAnalysisMlJobConfigurationError,
   UnknownCategoryError,
+  isMlPrivilegesError,
 } from './errors';
 import { decodeOrThrow } from '../../../common/runtime_types';
 import {
@@ -65,7 +66,10 @@ async function getCompatibleAnomaliesJobIds(
     jobIds.push(logRateJobId);
     jobSpans = [...jobSpans, ...spans];
   } catch (e) {
-    // Job wasn't found
+    if (isMlPrivilegesError(e)) {
+      throw e;
+    }
+    // An error is also thrown when no jobs are found
   }
 
   try {
@@ -75,7 +79,10 @@ async function getCompatibleAnomaliesJobIds(
     jobIds.push(logCategoriesJobId);
     jobSpans = [...jobSpans, ...spans];
   } catch (e) {
-    // Job wasn't found
+    if (isMlPrivilegesError(e)) {
+      throw e;
+    }
+    // An error is also thrown when no jobs are found
   }
 
   return {

diff --git a/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_anomalies.ts b/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_anomalies.ts
@@ -17,6 +17,7 @@ import {
 import { createValidationFunction } from '../../../../common/runtime_types';
 import { assertHasInfraMlPlugins } from '../../../utils/request_context';
 import { getLogEntryAnomalies } from '../../../lib/log_analysis';
+import { isMlPrivilegesError } from '../../../lib/log_analysis/errors';
 
 export const initGetLogEntryAnomaliesRoute = ({ framework }: InfraBackendLibs) => {
   framework.registerRoute(
@@ -73,6 +74,15 @@ export const initGetLogEntryAnomaliesRoute = ({ framework }: InfraBackendLibs) =
           throw error;
         }
 
+        if (isMlPrivilegesError(error)) {
+          return response.customError({
+            statusCode: 403,
+            body: {
+              message: error.message,
+            },
+          });
+        }
+
         return response.customError({
           statusCode: error.statusCode ?? 500,
           body: {

diff --git a/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_anomalies_datasets.ts b/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_anomalies_datasets.ts
@@ -14,6 +14,7 @@ import { createValidationFunction } from '../../../../common/runtime_types';
 import type { InfraBackendLibs } from '../../../lib/infra_types';
 import { getLogEntryAnomaliesDatasets } from '../../../lib/log_analysis';
 import { assertHasInfraMlPlugins } from '../../../utils/request_context';
+import { isMlPrivilegesError } from '../../../lib/log_analysis/errors';
 
 export const initGetLogEntryAnomaliesDatasetsRoute = ({ framework }: InfraBackendLibs) => {
   framework.registerRoute(
@@ -55,6 +56,15 @@ export const initGetLogEntryAnomaliesDatasetsRoute = ({ framework }: InfraBacken
           throw error;
         }
 
+        if (isMlPrivilegesError(error)) {
+          return response.customError({
+            statusCode: 403,
+            body: {
+              message: error.message,
+            },
+          });
+        }
+
         return response.customError({
           statusCode: error.statusCode ?? 500,
           body: {

diff --git a/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_categories.ts b/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_categories.ts
@@ -14,6 +14,7 @@ import { createValidationFunction } from '../../../../common/runtime_types';
 import type { InfraBackendLibs } from '../../../lib/infra_types';
 import { getTopLogEntryCategories } from '../../../lib/log_analysis';
 import { assertHasInfraMlPlugins } from '../../../utils/request_context';
+import { isMlPrivilegesError } from '../../../lib/log_analysis/errors';
 
 export const initGetLogEntryCategoriesRoute = ({ framework }: InfraBackendLibs) => {
   framework.registerRoute(
@@ -66,6 +67,15 @@ export const initGetLogEntryCategoriesRoute = ({ framework }: InfraBackendLibs)
           throw error;
         }
 
+        if (isMlPrivilegesError(error)) {
+          return response.customError({
+            statusCode: 403,
+            body: {
+              message: error.message,
+            },
+          });
+        }
+
         return response.customError({
           statusCode: error.statusCode ?? 500,
           body: {

diff --git a/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_category_datasets.ts b/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_category_datasets.ts
@@ -14,6 +14,7 @@ import { createValidationFunction } from '../../../../common/runtime_types';
 import type { InfraBackendLibs } from '../../../lib/infra_types';
 import { getLogEntryCategoryDatasets } from '../../../lib/log_analysis';
 import { assertHasInfraMlPlugins } from '../../../utils/request_context';
+import { isMlPrivilegesError } from '../../../lib/log_analysis/errors';
 
 export const initGetLogEntryCategoryDatasetsRoute = ({ framework }: InfraBackendLibs) => {
   framework.registerRoute(
@@ -55,6 +56,15 @@ export const initGetLogEntryCategoryDatasetsRoute = ({ framework }: InfraBackend
           throw error;
         }
 
+        if (isMlPrivilegesError(error)) {
+          return response.customError({
+            statusCode: 403,
+            body: {
+              message: error.message,
+            },
+          });
+        }
+
         return response.customError({
           statusCode: error.statusCode ?? 500,
           body: {

diff --git a/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_category_examples.ts b/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_category_examples.ts
@@ -14,6 +14,7 @@ import { createValidationFunction } from '../../../../common/runtime_types';
 import type { InfraBackendLibs } from '../../../lib/infra_types';
 import { getLogEntryCategoryExamples } from '../../../lib/log_analysis';
 import { assertHasInfraMlPlugins } from '../../../utils/request_context';
+import { isMlPrivilegesError } from '../../../lib/log_analysis/errors';
 
 export const initGetLogEntryCategoryExamplesRoute = ({ framework, sources }: InfraBackendLibs) => {
   framework.registerRoute(
@@ -65,6 +66,15 @@ export const initGetLogEntryCategoryExamplesRoute = ({ framework, sources }: Inf
           throw error;
         }
 
+        if (isMlPrivilegesError(error)) {
+          return response.customError({
+            statusCode: 403,
+            body: {
+              message: error.message,
+            },
+          });
+        }
+
         return response.customError({
           statusCode: error.statusCode ?? 500,
           body: {

diff --git a/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_examples.ts b/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_examples.ts
@@ -14,6 +14,7 @@ import {
   getLogEntryExamplesSuccessReponsePayloadRT,
   LOG_ANALYSIS_GET_LOG_ENTRY_RATE_EXAMPLES_PATH,
 } from '../../../../common/http_api/log_analysis';
+import { isMlPrivilegesError } from '../../../lib/log_analysis/errors';
 
 export const initGetLogEntryExamplesRoute = ({ framework, sources }: InfraBackendLibs) => {
   framework.registerRoute(
@@ -68,6 +69,15 @@ export const initGetLogEntryExamplesRoute = ({ framework, sources }: InfraBacken
           throw error;
         }
 
+        if (isMlPrivilegesError(error)) {
+          return response.customError({
+            statusCode: 403,
+            body: {
+              message: error.message,
+            },
+          });
+        }
+
         return response.customError({
           statusCode: error.statusCode ?? 500,
           body: {

diff --git a/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_rate.ts b/x-pack/plugins/infra/server/routes/log_analysis/results/log_entry_rate.ts
@@ -15,6 +15,7 @@ import {
 import { createValidationFunction } from '../../../../common/runtime_types';
 import { getLogEntryRateBuckets } from '../../../lib/log_analysis';
 import { assertHasInfraMlPlugins } from '../../../utils/request_context';
+import { isMlPrivilegesError } from '../../../lib/log_analysis/errors';
 
 export const initGetLogEntryRateRoute = ({ framework }: InfraBackendLibs) => {
   framework.registerRoute(
@@ -56,6 +57,15 @@ export const initGetLogEntryRateRoute = ({ framework }: InfraBackendLibs) => {
           throw error;
         }
 
+        if (isMlPrivilegesError(error)) {
+          return response.customError({
+            statusCode: 403,
+            body: {
+              message: error.message,
+            },
+          });
+        }
+
         return response.customError({
           statusCode: error.statusCode ?? 500,
           body: {