Kibana: "Add layer" ignores Field Level Security (FLS) rules

Created on 2 Apr 2019  路  8Comments  路  Source: elastic/kibana

Kibana version: 6.7.0

Elasticsearch version: 6.7.0

Server OS version: ESS

Browser version: Chrome

Browser OS version: OSX

Original install method (e.g. download page, yum, from source, etc.): ESS

Describe the bug:
"Add layer" ignores Field Level Security (FLS)

Steps to reproduce:

  1. Use FLS to make a geo field inaccessible for a user
  2. Although the field is invisible in Discover (as it should be), it is visible in Add layer in Maps.

Expected behavior:
Hide the field throughout Kibana

Screenshots (if relevant):
Screenshot 2019-04-02 at 09 56 39
Screenshot 2019-04-02 at 09 56 24

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context:

Geo Security bug
Source
picture loekvangool

All 8 comments

Pinging @elastic/kibana-gis

elasticmachine picture elasticmachine on 2 Apr 2019

Pinging @elastic/kibana-app

elasticmachine picture elasticmachine on 2 Apr 2019

The Maps application obtains the list of fields from Kibana's index-pattern saved object. The field list will contain the fields available to the user at the time the index-pattern saved object is created. Elasticsearch will prevent the user from actually seeing those field's values if they aren鈥檛 authorized to do so when viewing the map. The only thing exposed is the field name.

This is an issue that is not unique to the Maps application. For example, Visualizations use index-pattern saved objects to show users the list of available fields for aggregations

Discover does not use the index-pattern saved object. Instead, Discover queries for the first 500 matches and compiles the field list from the retrieved documents.

nreese picture nreese on 2 Apr 2019

Pinging @elastic/kibana-security

elasticmachine picture elasticmachine on 2 Apr 2019

I would be more in line with best practices, I believe, if non-accessible fields are hidden altogether throughout all UIs/APIs of the Stack.

loekvangool picture loekvangool on 2 Apr 2019
👍1

https://github.com/elastic/kibana/issues/8192 was initially opened all the way back in 2.4/4.6, and I initially closed it because it appeared to be working as designed. In retrospect, that was foolish and it's something we should look into addressing. I've re-opened #8192, and would prefer to use that issue to track this limitation, as it does apply to all consumers of index patterns, including "traditional visualizations", maps and others.

kobelb picture kobelb on 2 Apr 2019

Sounds fine to me

loekvangool picture loekvangool on 2 Apr 2019

Thanks for reporting this @loekvangool!

kobelb picture kobelb on 2 Apr 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

AlexIoannides picture AlexIoannides  路  138Comments
JulienPalard picture JulienPalard  路  95Comments
panda87 picture panda87  路  206Comments
stacey-gammon picture stacey-gammon  路  74Comments
hvisage picture hvisage  路  170Comments