Add get-user-privileges API #33928
Merged
Add get-user-privileges API #33928
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This API is intended as a companion to the _has_privileges API. It returns the list of privileges that are held by the current user. This information is difficult to reason about, and consumers should avoid making direct security decisions based solely on this data. For example, each of the following index privileges (as well as many more) would grant a user access to index a new document into the "metrics-2018-08-30" index, but clients should not try and deduce that information from this API. - "all" on "*" - "all" on "metrics-*" - "write" on "metrics-2018-*" - "write" on "metrics-2018-08-30" Rather, if a client wished to know if a user had "index" access to _any_ index, it would be possible to use this API to determine whether the user has any index privileges, and on which index patterns, and then feed those index patterns into _has_privileges in order to determine whether the "index" privilege had been granted. The result JSON is modelled on the Role API, with a few small changes to reflect how privileges are modelled when multiple roles are merged together (multiple DLS queries, multiple FLS grants, multiple global conditions, etc).
tvernum
added
>feature
review
v7.0.0
:Security/Authorization
|
Pinging @elastic/es-security |
|
FYI: @kobelb |
|
To be handled in separate PRs:
|
|
@kobelb In 6.4, this happens: The privileges
The I've fixed that in this PR, so that on this branch we get which is what you expect.
I don't think that will cause you any issues, but I want to highlight it in advance. What I've just discovered (and will fix) is that this means that |
|
@tvernum in 6.4, we're only checking whether the user has specific actions and we aren't checking whether they have specific privileges, is it safe to assume that this same behavior that you've noticed doesn't exist in those scenarios? |
|
@kobelb That's correct. Checking for raw actions is not affected by this change. |
|
Are we still on track for this to land in 6.5? We'd ideally like to switch to this within 6.5 or else we'll be relying on a rather unperformant alternative. |
|
Ping @jaymode @albertzaharovits -- Any chance of a review? |
| XPackLicenseState licenseState) { | ||
| super(settings, licenseState); | ||
| this.securityContext = securityContext; | ||
| controller.registerHandler(GET, "/_xpack/security/user/{username}/_privileges", this); |
There was a problem hiding this comment.
Is this handler necessary? Isn't the /_xpack/security/user/_privileges enough given this is a SAME_USER_PRIVILEGE type of action?
| .filter(e -> e.matchesPrivilege(privilege)) | ||
| .map(e -> e.resourceNames) | ||
| .flatMap(Set::stream) | ||
| .collect(Collectors.toSet()); |
There was a problem hiding this comment.
It looks to me that you went to great lengths to display app privileges in nicely formatted JSON.
What do you think if you also do resource-wildcard-compression here? I mean, to go through
the flatted array and eliminate resources that are a subset of another, eg user/kimchy is a subset of user/* so do not print it.
Again, I would not suggest this if you hadn't already reached up to here! Kibana will be thrilled!
There was a problem hiding this comment.
This is trickier than it sounds.
The Automatons are (in some cases) already unioned, so calculating subsets is tricky.
In the example from this javadoc:
"read", [ "user/*" ]
"all", [ "user/kimchy", "config/*" ]
the two resources for all are already merged into a single automaton, so there's nothing that is a pure subset of the read resource.
We can ignore the union by recompiling each of the resource names, but that would introduce Automaton compilation that we don't otherwise need.
There was a problem hiding this comment.
Agreed, it would require compiling the Automaton for every element of the Set.
We can leave it as a homework for when somebody else trips on this and can't do without it.
...c/main/java/org/elasticsearch/xpack/core/security/action/user/GetUserPrivilegesResponse.java
Show resolved
Hide resolved
jaymode
approved these changes
Oct 16, 2018
...rc/main/java/org/elasticsearch/xpack/core/security/action/user/GetUserPrivilegesRequest.java
Show resolved
Hide resolved
|
|
||
| import static org.hamcrest.Matchers.equalTo; | ||
|
|
||
| public class GetUserPrivilegesResponseTests extends ESTestCase { |
There was a problem hiding this comment.
since this response implements equals and hashcode, can you add tests for this?
...main/java/org/elasticsearch/xpack/security/action/user/TransportGetUserPrivilegesAction.java
Show resolved
Hide resolved
tvernum
added a commit
that referenced
this pull request
Oct 22, 2018
This API is intended as a companion to the _has_privileges API. It returns the list of privileges that are held by the current user. This information is difficult to reason about, and consumers should avoid making direct security decisions based solely on this data. For example, each of the following index privileges (as well as many more) would grant a user access to index a new document into the "metrics-2018-08-30" index, but clients should not try and deduce that information from this API. - "all" on "*" - "all" on "metrics-*" - "write" on "metrics-2018-*" - "write" on "metrics-2018-08-30" Rather, if a client wished to know if a user had "index" access to _any_ index, it would be possible to use this API to determine whether the user has any index privileges, and on which index patterns, and then feed those index patterns into _has_privileges in order to determine whether the "index" privilege had been granted. The result JSON is modelled on the Role API, with a few small changes to reflect how privileges are modelled when multiple roles are merged together (multiple DLS queries, multiple FLS grants, multiple global conditions, etc). Backport of: 9200e15, 2283a33, aeb3cda
kcm
pushed a commit
that referenced
this pull request
Oct 30, 2018
This API is intended as a companion to the _has_privileges API. It returns the list of privileges that are held by the current user. This information is difficult to reason about, and consumers should avoid making direct security decisions based solely on this data. For example, each of the following index privileges (as well as many more) would grant a user access to index a new document into the "metrics-2018-08-30" index, but clients should not try and deduce that information from this API. - "all" on "*" - "all" on "metrics-*" - "write" on "metrics-2018-*" - "write" on "metrics-2018-08-30" Rather, if a client wished to know if a user had "index" access to _any_ index, it would be possible to use this API to determine whether the user has any index privileges, and on which index patterns, and then feed those index patterns into _has_privileges in order to determine whether the "index" privilege had been granted. The result JSON is modelled on the Role API, with a few small changes to reflect how privileges are modelled when multiple roles are merged together (multiple DLS queries, multiple FLS grants, multiple global conditions, etc).
semd
added a commit
to elastic/kibana
that referenced
this pull request
Feb 15, 2024
## Summary This PR solves an issue with `superuser` (or any `*`) role and PLI (product level item) control. Elasticsearch _has_privileges_ API always returns _true_ on any privilege for `superuser` role, even if the privilege has never been registered (more context [here](elastic/elasticsearch#33928 (comment))), causing superuser to be able to access product-restricted APIs (e.g. Routes that should only be available on _complete_ tier, are also available on _essentials_ tier). ## Solution We have the registered AppFeatures configuration locally, so we can solve the problem by checking that the action privilege exists and has been registered in the AppFeatures service, before doing any call to ES _hasPrivileges_ API for RBAC. ### Changes - AppFeatures service now stores a Set with all the (`api` and `ui`) actions registered. - Endpoint authz checks the actions against AppFeatures before checking RBAC. Only for server-side. - Route `access:` tag control has been extended to check actions against AppFeatures for _securitySolution_ prefixed actions. - New `securitySolutionAppFeature:` route tag control for non-RBAC product feature checks. (This is not being used yet, but it will be needed) ### Behavior change - UI: no change, everything should keep working the same way. - API: routes associated with higher product tier features (such as endpoint or entity analytics) won't be accessible for the superuser/admin role when running on lower product tiers, like _security essentials_. --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
CoenWarmer
pushed a commit
to CoenWarmer/kibana
that referenced
this pull request
Feb 15, 2024
…176165) ## Summary This PR solves an issue with `superuser` (or any `*`) role and PLI (product level item) control. Elasticsearch _has_privileges_ API always returns _true_ on any privilege for `superuser` role, even if the privilege has never been registered (more context [here](elastic/elasticsearch#33928 (comment))), causing superuser to be able to access product-restricted APIs (e.g. Routes that should only be available on _complete_ tier, are also available on _essentials_ tier). ## Solution We have the registered AppFeatures configuration locally, so we can solve the problem by checking that the action privilege exists and has been registered in the AppFeatures service, before doing any call to ES _hasPrivileges_ API for RBAC. ### Changes - AppFeatures service now stores a Set with all the (`api` and `ui`) actions registered. - Endpoint authz checks the actions against AppFeatures before checking RBAC. Only for server-side. - Route `access:` tag control has been extended to check actions against AppFeatures for _securitySolution_ prefixed actions. - New `securitySolutionAppFeature:` route tag control for non-RBAC product feature checks. (This is not being used yet, but it will be needed) ### Behavior change - UI: no change, everything should keep working the same way. - API: routes associated with higher product tier features (such as endpoint or entity analytics) won't be accessible for the superuser/admin role when running on lower product tiers, like _security essentials_. --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
fkanout
pushed a commit
to fkanout/kibana
that referenced
this pull request
Mar 4, 2024
…176165) ## Summary This PR solves an issue with `superuser` (or any `*`) role and PLI (product level item) control. Elasticsearch _has_privileges_ API always returns _true_ on any privilege for `superuser` role, even if the privilege has never been registered (more context [here](elastic/elasticsearch#33928 (comment))), causing superuser to be able to access product-restricted APIs (e.g. Routes that should only be available on _complete_ tier, are also available on _essentials_ tier). ## Solution We have the registered AppFeatures configuration locally, so we can solve the problem by checking that the action privilege exists and has been registered in the AppFeatures service, before doing any call to ES _hasPrivileges_ API for RBAC. ### Changes - AppFeatures service now stores a Set with all the (`api` and `ui`) actions registered. - Endpoint authz checks the actions against AppFeatures before checking RBAC. Only for server-side. - Route `access:` tag control has been extended to check actions against AppFeatures for _securitySolution_ prefixed actions. - New `securitySolutionAppFeature:` route tag control for non-RBAC product feature checks. (This is not being used yet, but it will be needed) ### Behavior change - UI: no change, everything should keep working the same way. - API: routes associated with higher product tier features (such as endpoint or entity analytics) won't be accessible for the superuser/admin role when running on lower product tiers, like _security essentials_. --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The get-user-privileges API (
_xpack/security/user/_privileges) returnsthe current user's effective privileges in a role-like structure.
Because the effective privileges are the result of merging potentially
multiple roles, the resulting structure has a few differences to the
standard role JSON - some fields that are single values in roles, are
multivariate (arrays) in this API.
It is only possible to return the current user's privileges, but the
es-security-runas-user header can be used to load another user as the
current effective user.
Resolves: #32777