[ML] Update file data visualizer permissions #101169
Conversation
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
merge conflict between base and head |
|
@elasticmachine merge upstream |
|
merge conflict between base and head |
|
@elasticmachine merge upstream |
jgowdyelastic
added
:ml
Feature:File and Index Data Viz
Yes, I agree. This stage is only telling the user things about the file they uploaded, and could have worked out themselves by counting things in a text editor on their machine if they had the time and inclination. They can cause CPU usage in Elasticsearch by analysing lots of files, although they can do that anyway by running searches. So I think for the file analysis stage of the process a very low level of permissions is adequate. Something on a par with using Discover. Then, as people have said, to actually import the file you need to be able to create an index, create an ingest pipeline and index documents into that index. But that's always been the case and has always been controlled using ES permissions.
In Elasticsearch every action has to have an action name and the permissions allow you to use actions whose name begins with a certain prefix. All the action names that are for cluster actions rather than index actions and which don't make changes begin with When To summarise, I think it's fine to either not protect the analysis step (beyond having to log into Kibana) and bearing in mind that the upload privilege checks that happen naturally due to creating an index and an ingest pipeline protect the upload step or protect the analysis step with a really basic Kibana privilege like being allowed to use Discover or something else that's widely granted, again with the upload step protected naturally. |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@legrego i've updated this PR with your suggested changes. Could you please take a look. Also I'm not that happy with the text in the error callout, but I can't think of a better way of wording it. |
| @@ -37,6 +37,7 @@ export const buildOSSFeatures = ({ | |||
| privileges: { | |||
| all: { | |||
| app: ['discover', 'kibana'], | |||
| api: ['fileUpload:analyzeFile'], | |||
There was a problem hiding this comment.
I know we discussed Discover as one example of a feature that should grant this functionality, but is that the only one? If I'm reading this right, it looks like we are taking this away from the maps and ml features, which would surprise our users when they upgrade
There was a problem hiding this comment.
Yes, failing tests have just shown that ML still needs to supply this privilege.
Maps does not as it does not use the file structure finder feature.
There was a problem hiding this comment.
Updated in 3d3c2c0
| > | ||
| <FormattedMessage | ||
| id="xpack.dataVisualizer.file.fileErrorCallouts.findFileStructurePermissionDenied.description" | ||
| defaultMessage="You do not have sufficient privileges to analyze files." |
|
Code LGTM 🎉 |
💚 Build Succeeded
Metrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
* [ML] Update file data visualizer permissions * adding home bundle * fixing translations * removing home from bundles * switching to current user for analysis * adding find structure permission check * clean up * updating text * updating maps * removing has_find_file_structure_permission endpoint * removing more code * adding permission error message * renaming variable * adding fileUpload:analyzeFile back into ML * updating error text * updating snapshots Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
* [ML] Update file data visualizer permissions * adding home bundle * fixing translations * removing home from bundles * switching to current user for analysis * adding find structure permission check * clean up * updating text * updating maps * removing has_find_file_structure_permission endpoint * removing more code * adding permission error message * renaming variable * adding fileUpload:analyzeFile back into ML * updating error text * updating snapshots Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: James Gowdy <jgowdy@elastic.co>
Removes the ML supplied capability
access:fileUpload:importand addsfileUpload:analyzeFileto Discover'sapiallcapabilities so the feature can be used in Home's Add Data page without the user needing any ML permissions.Using Discover's capabilities was suggested here as the ability to analyze a file should be a very low permission and it is reasonable to assume that a user with the ability to use Discover could also have the ability to analyze a file.
If the file analysis fails with a
403a permission warning is shown.@lcawl or @szabosteve can you please check the wording of the warning for me?
Checklist
Delete any items that are not applicable to this PR.
Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
Documentation was added for features that require explanation or tutorials
Unit or functional tests were updated or added to match the most common scenarios
This was checked for breaking API changes and was labeled appropriately