elastic · afharo · Mar 7, 2022 · Feb 23, 2022 · Feb 23, 2022 · Feb 23, 2022
@@ -8,6 +8,6 @@
   "server": true,
   "ui": true,
   "requiredPlugins": ["dataViews", "share", "urlForwarding"],
-  "optionalPlugins": ["usageCollection", "telemetry", "customIntegrations"],
+  "optionalPlugins": ["usageCollection", "customIntegrations"],
   "requiredBundles": ["kibanaReact"]
 }
@@ -8,6 +8,7 @@
   "server": true,
   "ui": true,
   "requiredPlugins": ["telemetryCollectionManager", "usageCollection", "screenshotMode"],
+  "optionalPlugins": ["security"],
   "extraPublicDirs": ["common/constants"],
   "requiredBundles": ["kibanaUtils", "kibanaReact"]
 }
@@ -23,6 +23,7 @@ import type {
   Plugin,
   Logger,
 } from 'src/core/server';
+import type { SecurityPluginStart } from '../../../../x-pack/plugins/security/server';
 import { SavedObjectsClient } from '../../../core/server';
 import { registerRoutes } from './routes';
 import { registerCollection } from './telemetry_collection';
@@ -42,6 +43,7 @@ interface TelemetryPluginsDepsSetup {
 
 interface TelemetryPluginsDepsStart {
   telemetryCollectionManager: TelemetryCollectionManagerPluginStart;
+  security?: SecurityPluginStart;
 }
 
 /**
@@ -90,6 +92,8 @@ export class TelemetryPlugin implements Plugin<TelemetryPluginSetup, TelemetryPl
    */
   private savedObjectsInternalClient$ = new ReplaySubject<SavedObjectsClient>(1);
 
+  private security?: SecurityPluginStart;
+
   constructor(initializerContext: PluginInitializerContext<TelemetryConfigType>) {
     this.logger = initializerContext.logger.get();
     this.isDev = initializerContext.env.mode.dev;
@@ -119,6 +123,7 @@ export class TelemetryPlugin implements Plugin<TelemetryPluginSetup, TelemetryPl
       router,
       telemetryCollectionManager,
       savedObjectsInternalClient$: this.savedObjectsInternalClient$,
+      getSecurity: () => this.security,
     });
 
     this.registerMappings((opts) => savedObjects.registerType(opts));
@@ -137,11 +142,17 @@ export class TelemetryPlugin implements Plugin<TelemetryPluginSetup, TelemetryPl
     };
   }
 
-  public start(core: CoreStart, { telemetryCollectionManager }: TelemetryPluginsDepsStart) {
+  public start(
+    core: CoreStart,
+    { telemetryCollectionManager, security }: TelemetryPluginsDepsStart
+  ) {
     const { savedObjects } = core;
     const savedObjectsInternalRepository = savedObjects.createInternalRepository();
     this.savedObjectsInternalRepository = savedObjectsInternalRepository;
     this.savedObjectsInternalClient$.next(new SavedObjectsClient(savedObjectsInternalRepository));
+
+    this.security = security;
+
     this.startFetcher(core, telemetryCollectionManager);
 
     return {

@@ -10,7 +10,7 @@ import type { Observable } from 'rxjs';
 import type { IRouter, Logger, SavedObjectsClient } from 'kibana/server';
 import type { TelemetryCollectionManagerPluginSetup } from 'src/plugins/telemetry_collection_manager/server';
 import { registerTelemetryOptInRoutes } from './telemetry_opt_in';
-import { registerTelemetryUsageStatsRoutes } from './telemetry_usage_stats';
+import { registerTelemetryUsageStatsRoutes, SecurityGetter } from './telemetry_usage_stats';
 import { registerTelemetryOptInStatsRoutes } from './telemetry_opt_in_stats';
 import { registerTelemetryUserHasSeenNotice } from './telemetry_user_has_seen_notice';
 import type { TelemetryConfigType } from '../config';
@@ -24,12 +24,14 @@ interface RegisterRoutesParams {
   router: IRouter;
   telemetryCollectionManager: TelemetryCollectionManagerPluginSetup;
   savedObjectsInternalClient$: Observable<SavedObjectsClient>;
+  getSecurity: SecurityGetter;
 }
 
 export function registerRoutes(options: RegisterRoutesParams) {
-  const { isDev, telemetryCollectionManager, router, savedObjectsInternalClient$ } = options;
+  const { isDev, telemetryCollectionManager, router, savedObjectsInternalClient$, getSecurity } =
+    options;
   registerTelemetryOptInRoutes(options);
-  registerTelemetryUsageStatsRoutes(router, telemetryCollectionManager, isDev);
+  registerTelemetryUsageStatsRoutes(router, telemetryCollectionManager, isDev, getSecurity);
   registerTelemetryOptInStatsRoutes(router, telemetryCollectionManager);
   registerTelemetryUserHasSeenNotice(router);
   registerTelemetryLastReported(router, savedObjectsInternalClient$);

@@ -12,11 +12,15 @@ import {
   TelemetryCollectionManagerPluginSetup,
   StatsGetterConfig,
 } from 'src/plugins/telemetry_collection_manager/server';
+import type { SecurityPluginStart } from '../../../../../x-pack/plugins/security/server';
+
+export type SecurityGetter = () => SecurityPluginStart | undefined;
 
 export function registerTelemetryUsageStatsRoutes(
   router: IRouter,
   telemetryCollectionManager: TelemetryCollectionManagerPluginSetup,
-  isDev: boolean
+  isDev: boolean,
+  getSecurity: SecurityGetter
 ) {
   router.post(
     {
@@ -31,9 +35,18 @@ export function registerTelemetryUsageStatsRoutes(
     async (context, req, res) => {
       const { unencrypted, refreshCache } = req.body;
 
+      const security = getSecurity();
+      if (security) {
+        const hasEnoughPrivileges = await security.authz
+          .checkPrivilegesWithRequest(req)
+          .globally({ kibana: 'decryptedTelemetry' });
+        if (!hasEnoughPrivileges) {
+          return res.forbidden();
+        }
+      }
+
       try {
         const statsConfig: StatsGetterConfig = {
-          request: req,
           unencrypted,
           refreshCache: unencrypted || refreshCache,
         };

@@ -21,6 +21,7 @@
     { "path": "../../plugins/kibana_utils/tsconfig.json" },
     { "path": "../../plugins/screenshot_mode/tsconfig.json" },
     { "path": "../../plugins/telemetry_collection_manager/tsconfig.json" },
-    { "path": "../../plugins/usage_collection/tsconfig.json" }
+    { "path": "../../plugins/usage_collection/tsconfig.json" },
+    { "path": "../../../x-pack/plugins/security/tsconfig.json" }
   ]
 }
@@ -126,11 +126,10 @@ export class TelemetryCollectionManagerPlugin
     const esClient = this.getElasticsearchClient(config);
     const soClient = this.getSavedObjectsClient(config);
     // Provide the kibanaRequest so opted-in plugins can scope their custom clients only if the request is not encrypted
-    const kibanaRequest = config.unencrypted ? config.request : void 0;
     const refreshCache = config.unencrypted ? true : !!config.refreshCache;
 
     if (esClient && soClient) {
-      return { usageCollection, esClient, soClient, kibanaRequest, refreshCache };
+      return { usageCollection, esClient, soClient, refreshCache };
     }
   }
 
@@ -142,9 +141,7 @@ export class TelemetryCollectionManagerPlugin
    * @private
    */
   private getElasticsearchClient(config: StatsGetterConfig): ElasticsearchClient | undefined {
-    return config.unencrypted
-      ? this.elasticsearchClient?.asScoped(config.request).asCurrentUser
-      : this.elasticsearchClient?.asInternalUser;
+    return this.elasticsearchClient?.asInternalUser;
   }
 
   /**
@@ -155,11 +152,7 @@ export class TelemetryCollectionManagerPlugin
    * @private
    */
   private getSavedObjectsClient(config: StatsGetterConfig): SavedObjectsClientContract | undefined {
-    if (config.unencrypted) {
-      // Intentionally using the scoped client here to make use of all the security wrappers.
-      // It also returns spaces-scoped telemetry.
-      return this.savedObjectsService?.getScopedClient(config.request);
-    } else if (this.savedObjectsService) {
+    if (this.savedObjectsService) {
       // Wrapping the internalRepository with the `TelemetrySavedObjectsClient`
       // to ensure some best practices when collecting "all the telemetry"
       // (i.e.: `.find` requests should query all spaces)

@@ -6,14 +6,9 @@
  * Side Public License, v 1.
  */
 
-import {
-  ElasticsearchClient,
-  Logger,
-  KibanaRequest,
-  SavedObjectsClientContract,
-} from 'src/core/server';
-import { UsageCollectionSetup } from 'src/plugins/usage_collection/server';
-import { TelemetryCollectionManagerPlugin } from './plugin';
+import type { ElasticsearchClient, Logger, SavedObjectsClientContract } from 'src/core/server';
+import type { UsageCollectionSetup } from 'src/plugins/usage_collection/server';
+import type { TelemetryCollectionManagerPlugin } from './plugin';
 
 export interface TelemetryCollectionManagerPluginSetup {
   setCollectionStrategy: <T extends BasicStatsPayload>(
@@ -36,7 +31,6 @@ export interface TelemetryOptInStats {
 export interface BaseStatsGetterConfig {
   unencrypted: boolean;
   refreshCache?: boolean;
-  request?: KibanaRequest;
 }
 
 export interface EncryptedStatsGetterConfig extends BaseStatsGetterConfig {
@@ -45,7 +39,6 @@ export interface EncryptedStatsGetterConfig extends BaseStatsGetterConfig {
 
 export interface UnencryptedStatsGetterConfig extends BaseStatsGetterConfig {
   unencrypted: true;
-  request: KibanaRequest;
 }
 
 export interface ClusterDetails {
@@ -56,7 +49,6 @@ export interface StatsCollectionConfig {
   usageCollection: UsageCollectionSetup;
   esClient: ElasticsearchClient;
   soClient: SavedObjectsClientContract;
-  kibanaRequest: KibanaRequest | undefined; // intentionally `| undefined` to enforce providing the parameter
   refreshCache: boolean;
 }