Spaces security bug: a user can write in any other space than his own one

[fbaligand]

Kibana version: 6.5

Elasticsearch version: 6.5

Describe the bug:
When a user is authorized to write in a Kibana space, he can write in other spaces, using Dev Tools.
That is a big security problem.

Steps to reproduce:

1. I create a user with a role, where he can only write in Kibana Space "space1" (and cannot do anything in other spaces)
2. I go to Dev Tools and do a GET .kibana/_search => I get all documents whatever the space
3. Then I put a document in .kibana index with another "space2" namespace, and it works

Expected behavior:
read and write access to other spaces should be blocked for my user

[elasticmachine]

Pinging @elastic/kibana-security

[kobelb]

Copying @legrego's response from #21408 (comment)

tl;dr: Update your roles to not have direct access to the .kibana* indices -- this isn't needed anymore.

You're right, we use a single Kibana index for all spaces. The work we completed with RBAC Phase 1 was a prerequisite for us to complete spaces, and it allows us to no longer require users to have direct access to the .kibana index.

In other words, if you update your end-user roles to no longer have read/write access to .kibana*, then you can achieve the security you're looking for.

You'll also notice that the built-in kibana_user and kibana_dashboard_only_user roles still have direct access to .kibana. This was done to simplify upgrade scenarios for the remainder of 6.x, and is known as our Legacy Fallback mechanism.

The Legacy Fallback will be removed in 7.0.

[fbaligand]

@kobelb @legrego
I finally realized that my test was wrong, so sorry for this false issue.

[kobelb]

@fbaligand no worries at all!