"Add layer" ignores Field Level Security (FLS) rules #34334
Comments
loekvangool
added
[Deprecated-Use Team:Presentation]Team:Geo
|
Pinging @elastic/kibana-gis |
|
Pinging @elastic/kibana-app |
nreese
added
bug
|
The Maps application obtains the list of fields from Kibana's index-pattern saved object. The field list will contain the fields available to the user at the time the index-pattern saved object is created. Elasticsearch will prevent the user from actually seeing those field's values if they aren’t authorized to do so when viewing the map. The only thing exposed is the field name. This is an issue that is not unique to the Maps application. For example, Visualizations use index-pattern saved objects to show users the list of available fields for aggregations Discover does not use the index-pattern saved object. Instead, Discover queries for the first 500 matches and compiles the field list from the retrieved documents. |
nreese
added
the
Team:Security
|
Pinging @elastic/kibana-security |
|
I would be more in line with best practices, I believe, if non-accessible fields are hidden altogether throughout all UIs/APIs of the Stack. |
|
#8192 was initially opened all the way back in 2.4/4.6, and I initially closed it because it appeared to be working as designed. In retrospect, that was foolish and it's something we should look into addressing. I've re-opened #8192, and would prefer to use that issue to track this limitation, as it does apply to all consumers of index patterns, including "traditional visualizations", maps and others. |
|
Sounds fine to me |
|
Thanks for reporting this @loekvangool! |
Kibana version: 6.7.0
Elasticsearch version: 6.7.0
Server OS version: ESS
Browser version: Chrome
Browser OS version: OSX
Original install method (e.g. download page, yum, from source, etc.): ESS
Describe the bug:
"Add layer" ignores Field Level Security (FLS)
Steps to reproduce:
Expected behavior:
Hide the field throughout Kibana
Screenshots (if relevant):
Errors in browser console (if relevant):
Provide logs and/or server output (if relevant):
Any additional context:
The text was updated successfully, but these errors were encountered: