Index Pattern UI - remove _remote/info query #27345
Conversation
mattkime
added
the
Team:Visualizations
|
Pinging @elastic/kibana-app |
mattkime
added
the
Team:Security
|
Pinging @elastic/kibana-security |
mattkime
added
bug
|
Which privilege is necessary to use this endpoint? Are we sure that the kibana server user will have this? |
|
@kobelb We can expect the user to have
Uh, worked for me. But perhaps you know of a more rigorous method of determining the answer. |
💚 Build Succeeded |
We can't assume that users will have the Based on my testing, it appears that the |
What privileges can we assume a basic user will have? |
Thanks for researching this Larry. So, at this point we're in a situation where the greatest risk to using callWithInternalUser is potentially informing a user indirectly of the existence of a remote cluster, which they wouldn't have permission to see otherwise. How important is changing the UI to denote this situation?
We should be assuming that users with access to Kibana only have access to Kibana using the ES application privileges: https://www.elastic.co/guide/en/elastic-stack-overview/6.5/security-privileges.html#application-privileges These do not grant them any additional access to ES APIs, and only indirectly grant them access to Kibana which Kibana enforces. |
|
It's possible that a Kibana end user will only have Kibana application privileges defined. It's technically possible for a user to access Kibana without any cluster or index privileges, although it'd be of limited use. Users will typically have Kibana application privileges, and then privileges to their own data indices (not necessarily system indices). Certain cluster/index privileges are required to enable certain features within Kibana, but they aren't required to use Kibana in general. |
|
@mattkime, the following might be helpful: https://www.elastic.co/guide/en/kibana/current/development-security.html |
|
I'm going to discuss this with design. The design does not lend itself to 'we don't have access to determine if you have any indexes' |
mattkime
changed the title
|
Refactored to only use search api. @kobelb might be interested |
💚 Build Succeeded |
💔 Build Failed |
💔 Build Failed |
There was a problem hiding this comment.
Works for me.
I tested by copying the file /src/legacy/core_plugins/kibana/public/management/sections/index_patterns/create_index_pattern_wizard/create_index_pattern_wizard.js from this PR to my 7.0.0-alpha2 install, removed everything from my optimize directory and restarted Kibana.
Now as the same user as originally described in the issue, I can create index patterns (both local and cross cluster) without the error. So I think this fix is good.
There is a different problem in this same area but I don't think this PR caused it or fixes it. The problem is if a normal kibana_user enters something like logstash- and removes the trailing *, then Kibana just churns and churns on Looking for matching indices
While the console shows;
Detected an unhandled Promise rejection.
[security_exception] action [indices:admin/shards/search_shards] is unauthorized for user [power] :: {"path":"/*%3Am/_search","query":{},"body":"{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":200}}}}","statusCode":403,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"action [indices:admin/shards/search_shards] is unauthorized for user [power]\"}],\"type\":\"security_exception\",\"reason\":\"action [indices:admin/shards/search_shards] is unauthorized for user [power]\"},\"status\":403}"}
vendors.bundle.dll.js:95 Uncaught (in promise) StatusCodeError {status: 403, displayName: "AuthorizationException", message: "[security_exception] action [indices:admin/shards/search_shards] is unauthorized for user [power]", path: "/*%3Am/_search", query: {…}, …}
step @ kibana.bundle.js:2
(anonymous) @ kibana.bundle.js:2
Promise.then (async)
step @ kibana.bundle.js:2
(anonymous) @ kibana.bundle.js:2
(anonymous) @ kibana.bundle.js:2
fetchIndices @ kibana.bundle.js:2
onQueryChanged @ kibana.bundle.js:2
ka @ vendors.bundle.dll.js:203
invokeGuardedCallback @ vendors.bundle.dll.js:203
invokeGuardedCallbackAndCatchFirstError @ vendors.bundle.dll.js:203
Fa @ vendors.bundle.dll.js:203
Ja @ vendors.bundle.dll.js:203
La @ vendors.bundle.dll.js:203
Ha @ vendors.bundle.dll.js:203
Oa @ vendors.bundle.dll.js:203
Pa @ vendors.bundle.dll.js:203
Td @ vendors.bundle.dll.js:203
batchedUpdates @ vendors.bundle.dll.js:203
dc @ vendors.bundle.dll.js:203
Xd @ vendors.bundle.dll.js:203
interactiveUpdates @ vendors.bundle.dll.js:203
Wd @ vendors.bundle.dll.js:203
VM6529:1 POST https://localhost:5601/elasticsearch/*%3Ama/_search 403 (Forbidden)
I'm not sure when this issue was introduced. I'll try to figure that out and file an issue on it.
💚 Build Succeeded |
| @@ -46,6 +46,7 @@ export async function getIndices(es, indexPatternCreationType, rawPattern, limit | |||
| } | |||
|
|
|||
| const params = { | |||
| ignoreUnavailable: true, | |||
There was a problem hiding this comment.
This addresses @LeeDr 's concern #27345 (review)
Requests without wildcards that failed to match were returning 500 errors. It seems that they should be returning 404 errors but its easier to apply this fix than track that down.
Its an unrelated bug but I thought I might as well address it here.
There was a problem hiding this comment.
same issue is described here - #27218
💔 Build Failed |
|
darn pie chart test! retest |
|
jenkins test this |
💚 Build Succeeded |
There was a problem hiding this comment.
Code LGTM. Added two low-priority comments, but nothing that should block this from being merged.
I haven't yet been able to test locally, but since @LeeDr already has, I will approve now so we can get this in.
| } | ||
| this.catchAndWarn( | ||
| // if we get an error from remote cluster query, supply fallback value that allows user entry | ||
| getIndices(services.es, this.indexPatternCreationType, `*:*`, 1), ['a'], clustersFailMsg |
There was a problem hiding this comment.
I'm a little confused by the ['a'] argument to catchAndWarn here... Does it serve a purpose, or is it just an arbitrary placeholder?
There was a problem hiding this comment.
its just a placeholder value. I'll make my comment more specific
| // if we get an error from remote cluster query, supply fallback value that allows user entry | ||
| getIndices(services.es, this.indexPatternCreationType, `*:*`, 1), ['a'], clustersFailMsg | ||
| ).then(remoteIndices => this.setState({ remoteClustersExist: !!remoteIndices.length })); | ||
| }; |
There was a problem hiding this comment.
nit: Any particular reason for changing the async/await in the two queries above back to Promise().then()? vs keeping the same convention, e.g.
const allIndices = await ensureMinimumTime(this.catchAndWarn(...));
this.setState({ allIndices, isInitiallyLoadingIndices: false });
const remoteIndices = await ensureMinimumTime(this.catchAndWarn(...));
this.setState({ remoteClustersExist: !!remoteIndices.length });There was a problem hiding this comment.
Ah, of course. I assume it is because you don’t care about what order those promises are resolved in, so you are letting them run asynchronously.
There was a problem hiding this comment.
@lukeelmers you got it!
…:mattkime/kibana into kibana_user_remote_cluster_index_pattern
💚 Build Succeeded |
* use internal user to query _remote/info * query both * and *:* rather than querying for clusters * Update create_index_pattern_wizard.js * Update create_index_pattern_wizard.js * add a closing curly bracket * fix for failed matches * Update create_index_pattern_wizard.js
* use internal user to query _remote/info * query both * and *:* rather than querying for clusters * Update create_index_pattern_wizard.js * Update create_index_pattern_wizard.js * add a closing curly bracket * fix for failed matches * Update create_index_pattern_wizard.js
* use internal user to query _remote/info * query both * and *:* rather than querying for clusters * Update create_index_pattern_wizard.js * Update create_index_pattern_wizard.js * add a closing curly bracket * fix for failed matches * Update create_index_pattern_wizard.js
* use internal user to query _remote/info * query both * and *:* rather than querying for clusters * Update create_index_pattern_wizard.js * Update create_index_pattern_wizard.js * add a closing curly bracket * fix for failed matches * Update create_index_pattern_wizard.js
* use internal user to query _remote/info * query both * and *:* rather than querying for clusters * Update create_index_pattern_wizard.js * Update create_index_pattern_wizard.js * add a closing curly bracket * fix for failed matches * Update create_index_pattern_wizard.js
Summary
Index Pattern UI - remove
_remote/infoquery and replace with search for*:*which we can also use for determining whether there are remote clustersResolves "kibana_user sees "Failed to load remote clusters" when creating index pattern" - #27093
Checklist
Use
strikethroughsto remove checklist items you don't feel are applicable to this PR.[ ] This was checked for cross-browser compatibility, including a check against IE11[ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support[ ] Documentation was added for features that require explanation or tutorials[ ] Unit or functional tests were updated or added to match the most common scenarios[ ] This was checked for keyboard-only and screenreader accessibilityFor maintainers
[ ] This was checked for breaking API changes and was labeled appropriately[ ] This includes a feature addition or change that requires a release note and was labeled appropriately