-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose ability to deny ('except') access to fields via FLS #26472
Conversation
Pinging @elastic/kibana-security |
cc @cchaos / @AlonaNadler - no rush on this, I just wanted to make you aware of the proposed UI change, if you have any feedback. |
💔 Build Failed |
💚 Build Succeeded |
My only worry is that those fields may be unnecessarily squished now by adding a fourth field to that row. May want to consider moving the form to a flyout and displaying a summary in the page. |
@legrego is this a new ES capability or a way to ease the UI for FLS? |
@cchaos I agree it is a bit squished right now. Moving to a flyout is doable, but I'm worried what that might look like for users without DLS/FLS enabled. If DLS/FLS is not enabled, then then all users will see is the We could conditionally do the flyout only if DLS/FLS is enabled, but then the documentation/screenshots for this screen might look inconsistent for some users who don't have the same feature set enabled. @AlonaNadler this isn't new functionality - it's existed in ES for quite a while, but the Kibana UI was never updated to support it. I'm not sure when ES first introduced this, but the issue for the Kibana UI has been opened since February 2018. |
@legrego So the optional fields in that line only show for a particular group of people? How about, then, if we add another toggle above the current one that is something like "Grant granular privileges to fields" and when toggled on will show those two fields below. |
Yep, they are only available with a Platinum license.
I like this approach. I'll give it a shot and post a screenshot so we can all see what it looks like. |
…a into security/fls-except-fields
I updated the screenshots above to reflect @cchaos's suggestions. The FLS fields are now hidden behind a toggle, consistent with the DLS fields. |
💔 Build Failed |
💔 Build Failed |
💔 Build Failed |
💚 Build Succeeded |
💔 Build Failed |
💚 Build Succeeded |
…6472) * expose ability to deny ('except') access to fields via FLS * expose ability to deny ('except') access to fields via FLS * Moves FLS fields behind a switch to be consistent with DLS fields * remove unused import * fix security page object * remove unused code * remove unused translations
…6472) * expose ability to deny ('except') access to fields via FLS * expose ability to deny ('except') access to fields via FLS * Moves FLS fields behind a switch to be consistent with DLS fields * remove unused import * fix security page object * remove unused code * remove unused translations
Summary
This adds a "Denied Fields" input control to the Index Privileges section of the Role Management screen. This allows users to specify fields which should be denied access via FLS.
This does not implement any new security controls, but rather exposes the existing
field_security.except
functionality of the ES Roles API.Fixes #17951
Proposed UI
i18n test
TODO
"Release note: Deny access to specific fields using Field-Level Security. This was always available via the Elasticsearch APIs, but was missing from Kibana's Role Management UI"