Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Saved-objects authorization more granular than type #47503

Open
kobelb opened this issue Oct 7, 2019 · 3 comments
Open

Saved-objects authorization more granular than type #47503

kobelb opened this issue Oct 7, 2019 · 3 comments
Labels
enhancement New value added to drive a business result Feature:Security/Authorization Platform Security - Authorization Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
Security

Comments

@kobelb
Copy link
Contributor

kobelb commented Oct 7, 2019
edited

Currently, we authorize users to access saved-objects based on the type and action:

kibana/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client_wrapper.js

Line 119 in 1f38026

async _ensureAuthorized(typeOrTypes, action, args) {

This is potentially limiting for Alerting's use-case, and we don't want to have to force Alerting to declare a new saved-object type purely for authorization. There's potential that Alerting, and others, will need to authorize users to access a sub-set of a saved-object type.

Performing authorization using just the type and action allowed us to write a rather simplistic SavedObjectsClient wrapper. Each of the SavedObjectsClient wrapper methods require the user to specify the type, so authorization can be performed prior to executing the actual calls to perform the action. If an additional parameter is added to each of the methods to further specify which saved-objects, for example sub-type, the Security SavedObjectsClient wrapper can continue the current simplistic approach.

However, if the method signatures for the SavedObjectsClient methods are left unchanged and yet the user should only be authorized to access a sub-set of saved-objects, the Security SavedObjectsClient wrapper will have to adopt a different approach. This potentially complicates authorizing access to the find, delete and update actions specifically.
@kobelb kobelb added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Oct 7, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@kobelb kobelb added Feature:Security/Authorization Platform Security - Authorization enhancement New value added to drive a business result labels Oct 7, 2019
@kobelb
Copy link
Contributor Author

kobelb commented Oct 7, 2019

/cc @elastic/kibana-stack-services

@kobelb kobelb added this to Backlog in Security Oct 11, 2019
@kobelb kobelb mentioned this issue Oct 15, 2019
Closed
@kobelb kobelb moved this from Backlog to Analysis in Security Oct 15, 2019
@kobelb kobelb changed the title Saved-objects authorization more granular than type and method Saved-objects authorization more granular than saved-object type Oct 21, 2019
@kobelb kobelb changed the title Saved-objects authorization more granular than saved-object type Saved-objects authorization more granular than type Oct 21, 2019
@kobelb kobelb moved this from Analysis to Scheduled in Security Nov 14, 2019
@mikecote mikecote mentioned this issue Nov 20, 2019
Closed
@kobelb
Copy link
Contributor Author

kobelb commented Dec 12, 2019

The primary motivation for this was Alerting, which we explored in this proof of concept. However, we realized that trying to force Alerting to abide by the saved-objects authorization model was limiting when it comes to preventing specific operations which don't fall within standard CRUD based operations, for example the privileges allowing one to mute an alert of a specific type. At the moment, we've decided to have Alerting authorize it's own operations within its AlertsClient and utilize its own authorization model.

@kobelb kobelb moved this from Scheduled to Backlog in Security Dec 12, 2019
@legrego legrego mentioned this issue Oct 14, 2020
Closed
@legrego legrego mentioned this issue Mar 26, 2021
Open
6 tasks
@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort labels Aug 5, 2021
@legrego legrego removed EnableJiraSync loe:small Small Level of Effort impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Aug 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Feature:Security/Authorization Platform Security - Authorization Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
No open projects
Security
Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kobelb @legrego @elasticmachine