Kibana: RBAC - Phase 3 - Feature Controls
Overview
Phase 3 will implement the ability to hide features within each Space using a Basic license, in addition to defining feature level privileges to grant various levels of access to roles per space.
Space driven feature controls - Basic license
With a basic license, users will be able to hide features within spaces. It is important to note that this is _not_ a security feature, but instead a usability feature. This will allow users to customize each space to fit their needs, by hidings links and other functionality.
By default, all features are visible for every space. Hiding a feature is an opt-in decision. By extension, any new features that are added to Kibana will be visible by default, until they are explicitly hidden within a space. This allows new features to still be easily discovered when upgrading, and it reinforces the fact that this is _not_ a security feature.
Sample Screenshot
Security driven feature privileges - Standard/Gold/Platinum license
Once security is enabled, we will provide additional controls to actually secure access to specific features in Kibana. These controls will work regardless of whether Spaces are in use or not. Not only will this control the visibility of features in the UI, but it will also secure the Kibana API endpoints and prevent application bundles from being accessed.
With Spaces
When spaces are enabled, the Role Management screen will allow users to specify which features users are allowed to access within each space. Since each Space also controls the visibility of features, this will have additional logic to determine when a feature is shown/hidden. Configuring this does not preclude users from later disabling Spaces.
| Space Config | Role Config | Result |
| ------------ | ----------- | ------ |
| Feature Hidden | Feature Disabled | Feature not available |
| Feature Hidden | Feature Enabled | Feature not available |
| Feature Visible | Feature Disabled | Feature not available |
| Feature Visible | Feature Enabled | Feature available |
Users will be able to configure access via a UI similar to the following.
Without Spaces
When spaces are disabled, the Role Management screen will allow users to specify which features users are allowed to access within Kibana. Configuring this does not preclude users from later enabling Spaces.
Stack applications with custom privilege model
There are existing applications that implement their own privileges model that require the user to be explicitly granted various cluster and index privileges via a reserved role, which will not be able to be disabled using the security driven feature controls. Currently, there are two notable applications in this category: Machine Learning and Monitoring.
The access to these applications will continue to be driven by the reserved roles. We will be augmenting these reserved role definitions with the necessary changes, described more in-depth below, so that when the user is assigned the proper reserved role the application will be visible within Kibana. Prior to the introduction of Feature Controls, these applications have always been visible within Kibana, even if the user doesn't have the necessary privileges.
Technical Details
This phase builds rather heavily upon the RBAC - Phase 1 and RBAC - Phase 2 - Spaces infrastructure. The basis of which relies on the ability to assign Kibana specific privileges using Elasticsearch's application privileges which are then enforced by Kibana's server before granting the user access.
Privileges
The following is a list of privileges that will exist after this phase. Prior to this phase, we've only had base privileges, which allow users to assign access to all current and future features. This phase will be adding the feature privileges, which grant access to individual features.
Base Privileges
- all
- read
Feature Privileges
- Discover
- all
- read
- Visualize
- all
- read
- Dashboard
- all
- read
- Dev Tools
- all
- read
- Advanced Settings
- all
- read
- Index Patterns
- all
- read
- Timelion
- all
- read
- Graph
- all
- read
- Maps
- all
- read
- Canvas
- all
- read
- Infrastructure
- all
- read
- Logs
- all
- read
- Uptime
- all
- read
Actions
Each of these privileges will be associated with a set of actions per the ES application privileges.
The following is an example of the actions that are associated with Discover's all privilege:
[
"login:",
"version:7.0.0-alpha1",
"app:kibana",
"saved_object:search/bulk_get",
"saved_object:search/get",
"saved_object:search/find",
"saved_object:search/create",
"saved_object:search/bulk_create",
"saved_object:search/update",
"saved_object:search/delete",
"saved_object:config/bulk_get",
"saved_object:config/get",
"saved_object:config/find",
"saved_object:index-pattern/bulk_get",
"saved_object:index-pattern/get",
"saved_object:index-pattern/find",
"ui:catalogue/discover",
"ui:discover/show",
"ui:discover/save"
"ui:navLinks/kibana:discover",
]
Each of these actions corresponds to a specific authorization check which will be performed. For example, to determine whether the user is able to "find" a saved object of type "search", we check whether the user has the saved_object:search/find action, prior to permitting the user to perform the find operation. There are also actions for granting access to Kibana applications, APIs and various UI capabilities.
The relationship between privileges and actions allows us the flexibility to adjust the internal subsystems and their authorization checks while effectively granting the user the same functionality.
Plugin Extensibility
During a Kibana plugin's init lifecycle event, the plugin must register their feature to opt-in to Feature Controls. If a plugin does not opt-in to Feature Controls, their application will always be visible in the nav bar; however, they will not be granted authorization to any of the internal Kibana subsystems, such as Saved Objects.
The following is an example of registering a feature:
server.plugins.xpack_main.registerFeature({
id: 'foo',
name: 'Foo feature',
icon: 'fooApp',
navLinkId: 'foo',
app: ['foo', 'kibana'],
catalogue: ['foo'],
management: {
kibana: ['foo'],
},
privileges: {
all: {
api: ['foo/execute'],
savedObject: {
all: ['foo'],
read: ['config', 'index-pattern'],
},
ui: ['delete', 'save', 'show'],
},
read: {
savedObject: {
all: [],
read: ['config', 'index-pattern', 'graph-workspace'],
},
ui: ['show'],
}
}
});
Dissecting the aforementioned feature registration, there are a few important things to note. Everything that is declared outside of the privileges subsection is used for both spaces driven feature controls and security driven feature privileges. When a feature is hidden using Spaces driven feature controls, we hide the navlink, application, catalogue entry and management section.
The privileges subsection allows the plugin author to determine the access to various subsystems when the user is assigned the feature specific all or read privileges, and also using the base all and read privileges. Everything that is declared outside the privileges subsection implicitly cascades into the privileges themselves. However, the app, catalogue and management sections are override-able at the privilege definition itself. There are additional items which are only used by the security driven feature privileges, which can only be specified as part of a privilege itself. These include authorized APIs, saved object types, and specific UI capabilities.
UI Capabilities
UI Capabilities are used for determining which capabilities should be enabled in the UI based on the Spaces disabled features and the user's privileges. When a feature is disabled using Spaces, all UI capabilities that are associated with that specific feature are disabled. Using the security driven feature privileges, different UI capabilities can be enabled or disabled based on the specific privilege.
Consuming UI Capabilities
To determine whether a specific UI capability is enabled, consumers can import uiCapabilities from ui/capabilities like the following to determine whether to render or disable specific funtionality:
import { uiCapabilities } from 'ui/capabilities';
const canSave = uiCapabilities.discover.save;
Registering UI Capabilities
Plugins in OSS which are driven by UI Capabilities must specify their full-list of capabilities within injectDefaultVars. The following illustrates the Timelion plugin doing so:
injectDefaultVars() {
return {
uiCapabilities: {
timelion: {
save: true,
}
}
};
},
This allows the OSS plugins to always check to determine whether they should be enabling the "save" capabilities.
If a plugin is within the x-pack plugin, we can take advantage of the aforementioned feature registration to automatically determine the UI capabilities based on the privileges, so this manual step in injectDefaultVars can be skipped.
Disabling UI Capabilites
Both the Spaces plugin and the Security plugin take advantage of the replaceInjectedVars lifecycle event to disable certain capabilities based on the disabled set of features for the Space, or based on the user's security privileges.
kobelb
All 37 comments
For those following this Issue, I edited the description to flesh out the privileges that will be added, and began to elaborate upon the technical implementation.
kobelb
on 18 Jul 2018
/cc @AlonaNadler @jinmu03
kobelb
on 18 Jul 2018
@kobelb I wonder what about privileges about reporting? These are not in the above list, but I think it makes sense (also see #24464 for a use-case), to give reporting it's own privileges so it can be configured on a per user basis.
timroes
on 24 Oct 2018
@timroes I think it definitely makes sense to move Reporting to this new model; however, we were considering it "out of scope" for the initial implementation, with the hope of working with the app team to move it over to the new granular privileges once we have the sufficient basis to do so.
kobelb
on 24 Oct 2018
@kobelb I know we talked about it in the past, and expecting users will have more granular requests for privileges within each app. There are couple services that will be available across Kibana such as alerting, reporting and maybe more in the future, these will be available in multiple locations in Kibana including within the solutions. Should we open a new issue for services privileges across applications?
AlonaNadler
on 25 Oct 2018
@AlonaNadler sure, opening separate issues for the features/applications that we'd like to be secured long-term that are currently out of scope for this phase would be great.
kobelb
on 25 Oct 2018
For those following along, the description has been updated with the extension of this feature set to the basic license.
kobelb
on 30 Oct 2018
will this feature be implemented by version 6.5 ? if not, when is it implemented?
our company use enterprise version now, but in our situation the privilege management of Kibana doesn't cope with our regulation.
DoubleAix
on 6 Nov 2018
@DoubleAix, Granular Application Privileges will not be available for 6.5. 6.5 introduces Spaces, which gives you a way to organize your saved objects, and control who has access to each space within Kibana.
Spaces was a prerequisite to implementing granular app privileges. While we can't comment on a specific release date, we have started working on this feature, so you should expect to see it in the near future! Keep an eye out on this issue if you'd like to follow along
legrego
on 6 Nov 2018
Will the "no access" privilege be an option for all of the applications? We have a use case where we may only want a group of users to only dashboards and discover.
I'm sure others would have a similar use case with various groupings.
wirecutter313
on 29 Nov 2018
Will the "no access" privilege be an option for all of the applications? We have a use case where we may only want a group of users to only dashboards and discover.
Yup, you'll be able to only grant access to those 2 applications.
kobelb
on 29 Nov 2018
First, Granular Application Privileges will be great and very useful!
Then, I think there are more privileges to add :
- timelion_all
- timelion_read
- timelion_share
- ml_all
- ml_read
- infrastructure_all
- logs_all
- apm_all
- apm_read
- monitoring_all
- monitoring_read
- manage_reporting_all
- manage_reporting_read
- manage_watcher_all
- manage_license_all
fbaligand
on 4 Dec 2018
Hey @fbaligand, I'm glad you'll find this useful! The privilege list in the issue was a bit out of date; I've just updated it to reflect our current plan.
Regarding your list, we will be offering support for Timelion, ML, Infra/Logs, APM, and Monitoring*. Reporting, Watcher, and License Management are not currently in scope for the initial release, but if that changes, we'll update this issue.
- The items I've marked with an asterix will just be an "all or nothing" approach, which will only determine if the application will be visible in Kibana. It won't control access to the features within those applications, since those are not governed by Kibana, but rather by Elasticsearch cluster/index privileges. For example, Machine Learning requires the
manage_mlCluster Privilege in order to work.
legrego
on 4 Dec 2018
Thanks for the description update!
Nice to see all these items added!
Then, I think it would be fine to be able to hide « Management » tab. This is particularly useful for business users.
But maybe a nice way to do this is to disable manage* privileges and so Kibana does not display Management tab.
What do you think about the way to achieve « Management » tab display/hide?
fbaligand
on 4 Dec 2018
Then, I think it would be fine to be able to hide « Management » tab. This is particularly useful for business users.
But maybe a nice way to do this is to disable manage* privileges and so Kibana does not display Management tab.
What do you think about the way to achieve « Management » tab display/hide?
We completely agree and are working through a few options that we have in regard to the manner in which we'd like the Management tab to behave with this functionality.
kobelb
on 6 Dec 2018
Nice!
fbaligand
on 6 Dec 2018
The description has been updated to reflect the potential to ship the spaces driven feature controls separately from the security driven feature privileges. Additionally, we're now referring to this group of functionality as "feature controls" since they're no longer specifically tied to application or privileges. We also have decided to provide an extensible mechanism to allow applications/plugins to register their own features and optionally their own privileges.
kobelb
on 3 Jan 2019
The privileges list looks great!
Just few questions:
- does “discovery_all” means right to create a saved search ? To share a discover view ?
- I’m sad to see there is no reporting_read and reporting_all in the list.
fbaligand
on 3 Jan 2019
does “discovery_all” means right to create a saved search ? To share a discover view ?
It does, and it will allow the user to "share" it. More granular privileges will be added in subsequent phases.
I’m sad to see there is no reporting_read and reporting_all in the list.
Yeah... it's another subsequent phases item, as reporting uses it's own security model at the moment.
kobelb
on 4 Jan 2019
Canvas has been loading each workbook twice, which roughly doubles the workbook specific part of the loading latency, which is what scales with the workbook size and element contents ie. it'd be great to avoid it at all cost. As this issue has been open for some time, I'm wondering if it's possible to point out merged PRs or expedite some initial PR that'd allow Canvas bypass the need for duplicated workbook loading.
monfera
on 28 Jan 2019
@monfera it's not immediately obvious how your concerns are related to this issue, would you mind elaborating?
kobelb
on 28 Jan 2019
@kobelb unfortunately I don't have more info than answers from @cqliu1 and @w33ble subsequent to me asking why we're loading twice, at my link above.
Catherine wrote this:
We don't have a better way to check if a user has write permissions until granular app permissions goes into security
I haven't looked it enough to know why that is, or if there are workaround possibilities, assuming the solution for this issue is still some ways off.
monfera
on 28 Jan 2019
@monfera I have a WIP here for this: https://github.com/elastic/kibana/pull/29264
legrego
on 28 Jan 2019
Wow looks super promising, thanks @legrego!!!
monfera
on 29 Jan 2019
/cc @sophiec20 I'll be updating this issue with more details about how APM/Monitoring/ML will behave in this model a little later today
kobelb
on 14 Feb 2019
I’m very interested by this feature!
Particularly to limit Kibana applications visible to business clients.
Will this feature be available in Kibana 6.7 ?
fbaligand
on 14 Feb 2019
Will this feature be available in Kibana 6.7 ?
It will not, it's our primary focus at this point, but it missed the 6.7 release.
kobelb
on 14 Feb 2019
Ah, sad to hear this :(
So I guess it is planned for 7.0 release?
fbaligand
on 14 Feb 2019
Sadly I guess this missed the 7.0 release as well?
Here's hoping for 7.1.
cpmoore
on 12 Apr 2019
Ya kinda the one thing I was looking forward to. This and the Dark Theme.
wirecutter313
on 12 Apr 2019
when will this be released? i need those features đź‘Ť
nunosilvaaa
on 21 May 2019
@nunosilvaaa 7.2
kobelb
on 21 May 2019
@nunosilvaaa 7.2
thanks :)
nunosilvaaa
on 21 May 2019
I can't wait for this feature!
gabrielcalderon
on 30 May 2019
is there an ETA for this release?
nunosilvaaa
on 30 May 2019
@nunosilvaaa there is not at the moment. Given the nature of software development, unexpected delays are incredibly common. I'd recommend keeping an eye on our blog for the release announcement https://www.elastic.co/blog/
kobelb
on 30 May 2019
This is part of the 7.2 release.
kobelb
on 19 Jun 2019
Related issues
bhavyarm
·
3Comments
cafuego
·
3Comments
Ginja
·
3Comments
timroes
·
3Comments
spalger
·
3Comments
Most helpful comment
For those following this Issue, I edited the description to flesh out the privileges that will be added, and began to elaborate upon the technical implementation.