Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Grant access to machine learning features when base privileges are used #115444

Merged
merged 19 commits into from
Oct 26, 2021

Conversation

XavierM
Copy link
Contributor

@XavierM XavierM commented Oct 18, 2021

Summary

The Machine Learning feature should be included as part of the base privileges for the 8.0 release.
This is considered a breaking change since it would grant considerable privileges to existing users, and this may not be desirable for certain installations.

Resolves #71422

Checklist

Delete any items that are not applicable to this PR.

@XavierM XavierM added release_note:breaking Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.0.0 Breaking Change Team:ML Team label for ML (also use :ml) labels Oct 18, 2021
@XavierM XavierM requested a review from a team as a code owner October 18, 2021 19:39
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@jgowdyelastic
Copy link
Member

jgowdyelastic commented Oct 19, 2021

@XavierM could you please give a bit more detail on what user facing changes this will introduce?
I see that it doesn't affect the UI when creating a role and granting kibana privileges.

image

@legrego legrego marked this pull request as draft October 19, 2021 11:19
@legrego
Copy link
Member

legrego commented Oct 19, 2021

@jgowdyelastic sorry this should have been marked as draft for the time being. We opened this to see what the impact of the change would be on CI, so we could start addressing test failures. The intent here is for access to ML to be granted when the base all or read privileges are granted -- we'll make sure the role management screen reflects that prior to merging

@kibanamachine
Copy link
Contributor

kibanamachine commented Oct 20, 2021

💔 Build Failed

Failed CI Steps


Test Failures

Kibana Pipeline / general / Chrome X-Pack UI Functional Tests.x-pack/test/functional/apps/ml/permissions/no_ml_access·ts.machine learning permissions for user with no ML access (ft_ml_unauthorized) should not allow access to the ML app

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 1 times on tracked branches: https://dryrun

[00:00:00]     │
[00:00:00]       └-: machine learning
[00:00:00]         └-> "before all" hook in "machine learning"
[00:00:00]         └-: 
[00:00:00]           └-> "before all" hook in ""
[00:00:00]           └-> "before all" hook in ""
[00:00:00]             │ debg creating role ft_ml_source
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_source]
[00:00:00]             │ debg creating role ft_ml_source_readonly
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_source_readonly]
[00:00:00]             │ debg creating role ft_ml_dest
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_dest]
[00:00:00]             │ debg creating role ft_ml_dest_readonly
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_dest_readonly]
[00:00:00]             │ debg creating role ft_ml_ui_extras
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_ui_extras]
[00:00:00]             │ debg creating role ft_default_space_ml_all
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_all]
[00:00:00]             │ debg creating role ft_default_space1_ml_all
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space1_ml_all]
[00:00:00]             │ debg creating role ft_all_spaces_ml_all
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_all_spaces_ml_all]
[00:00:00]             │ debg creating role ft_default_space_ml_read
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_read]
[00:00:00]             │ debg creating role ft_default_space1_ml_read
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space1_ml_read]
[00:00:00]             │ debg creating role ft_all_spaces_ml_read
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_all_spaces_ml_read]
[00:00:00]             │ debg creating role ft_default_space_ml_none
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_none]
[00:00:00]             │ debg creating user ft_ml_poweruser
[00:00:00]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser]
[00:00:00]             │ debg created user ft_ml_poweruser
[00:00:00]             │ debg creating user ft_ml_poweruser_spaces
[00:00:00]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_spaces]
[00:00:00]             │ debg created user ft_ml_poweruser_spaces
[00:00:00]             │ debg creating user ft_ml_poweruser_space1
[00:00:00]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_space1]
[00:00:00]             │ debg created user ft_ml_poweruser_space1
[00:00:00]             │ debg creating user ft_ml_poweruser_all_spaces
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_all_spaces]
[00:00:01]             │ debg created user ft_ml_poweruser_all_spaces
[00:00:01]             │ debg creating user ft_ml_viewer
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer]
[00:00:01]             │ debg created user ft_ml_viewer
[00:00:01]             │ debg creating user ft_ml_viewer_spaces
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_spaces]
[00:00:01]             │ debg created user ft_ml_viewer_spaces
[00:00:01]             │ debg creating user ft_ml_viewer_space1
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_space1]
[00:00:01]             │ debg created user ft_ml_viewer_space1
[00:00:01]             │ debg creating user ft_ml_viewer_all_spaces
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_all_spaces]
[00:00:01]             │ debg created user ft_ml_viewer_all_spaces
[00:00:01]             │ debg creating user ft_ml_unauthorized
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_unauthorized]
[00:00:01]             │ debg created user ft_ml_unauthorized
[00:00:01]           └-: permissions
[00:00:01]             └-> "before all" hook in "permissions"
[00:07:05]             └-: for user with no ML access
[00:07:05]               └-> "before all" hook in "for user with no ML access"
[00:07:05]               └-: (ft_ml_unauthorized)
[00:07:05]                 └-> "before all" hook for "should not allow access to the ML app"
[00:07:05]                 └-> "before all" hook for "should not allow access to the ML app"
[00:07:05]                   │ debg SecurityPage.forceLogout
[00:07:05]                   │ debg Find.existsByDisplayedByCssSelector('.login-form') with timeout=100
[00:07:05]                   │ debg Already on the login page, not forcing anything
[00:07:05]                   │ debg TestSubjects.exists(loginForm)
[00:07:05]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="loginForm"]') with timeout=2500
[00:07:06]                   │ debg Waiting for Login Form to appear.
[00:07:06]                   │ debg Waiting up to 100000ms for login form...
[00:07:06]                   │ debg TestSubjects.exists(loginForm)
[00:07:06]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="loginForm"]') with timeout=2500
[00:07:06]                   │ debg TestSubjects.setValue(loginUsername, ft_ml_unauthorized)
[00:07:06]                   │ debg TestSubjects.click(loginUsername)
[00:07:06]                   │ debg Find.clickByCssSelector('[data-test-subj="loginUsername"]') with timeout=10000
[00:07:06]                   │ debg Find.findByCssSelector('[data-test-subj="loginUsername"]') with timeout=10000
[00:07:06]                   │ debg TestSubjects.setValue(loginPassword, mlu001)
[00:07:06]                   │ debg TestSubjects.click(loginPassword)
[00:07:06]                   │ debg Find.clickByCssSelector('[data-test-subj="loginPassword"]') with timeout=10000
[00:07:06]                   │ debg Find.findByCssSelector('[data-test-subj="loginPassword"]') with timeout=10000
[00:07:06]                   │ debg TestSubjects.click(loginSubmit)
[00:07:06]                   │ debg Find.clickByCssSelector('[data-test-subj="loginSubmit"]') with timeout=10000
[00:07:06]                   │ debg Find.findByCssSelector('[data-test-subj="loginSubmit"]') with timeout=10000
[00:07:06]                   │ debg Waiting for login result, expected: chrome.
[00:07:06]                   │ debg Find.findByCssSelector('[data-test-subj="userMenuAvatar"]') with timeout=20000
[00:07:06]                   │ proc [kibana] [2021-10-20T18:16:24.820+00:00][INFO ][plugins.security.routes] Logging in with provider "basic" (basic)
[00:07:09]                   │ debg browser[INFO] http://localhost:61181/app/home 281 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:07:09]                   │
[00:07:09]                   │ debg browser[INFO] http://localhost:61181/bootstrap.js 41:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:07:09]                   │ debg Finished login process currentUrl = http://localhost:61181/app/home#/
[00:07:09]                   │ debg Waiting up to 20000ms for logout button visible...
[00:07:09]                   │ debg TestSubjects.exists(userMenuButton)
[00:07:09]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="userMenuButton"]') with timeout=2500
[00:07:09]                   │ debg TestSubjects.exists(userMenu)
[00:07:09]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="userMenu"]') with timeout=2500
[00:07:11]                   │ debg --- retry.tryForTime error: [data-test-subj="userMenu"] is not displayed
[00:07:12]                   │ debg TestSubjects.click(userMenuButton)
[00:07:12]                   │ debg Find.clickByCssSelector('[data-test-subj="userMenuButton"]') with timeout=10000
[00:07:12]                   │ debg Find.findByCssSelector('[data-test-subj="userMenuButton"]') with timeout=10000
[00:07:12]                   │ debg TestSubjects.exists(userMenu)
[00:07:12]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="userMenu"]') with timeout=120000
[00:07:12]                   │ debg TestSubjects.exists(userMenu > logoutLink)
[00:07:12]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="userMenu"] [data-test-subj="logoutLink"]') with timeout=2500
[00:07:12]                 └-> should not allow access to the ML app
[00:07:12]                   └-> "before each" hook: global before each for "should not allow access to the ML app"
[00:07:12]                   │ debg === TEST STEP === should not load the ML overview page
[00:07:12]                   │ debg navigateToUrl http://localhost:61181/app/ml#/ml/
[00:07:12]                   │ debg browser[INFO] http://localhost:61181/app/ml?_t=1634753790894#/ml/ 281 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:07:12]                   │
[00:07:12]                   │ debg browser[INFO] http://localhost:61181/bootstrap.js 41:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:07:12]                   │ debg Find.findByCssSelector('body') with timeout=10000
[00:07:12]                   │ info Taking screenshot "/dev/shm/workspace/parallel/18/kibana/x-pack/test/functional/screenshots/failure/machine learning  permissions for user with no ML access _ft_ml_unauthorized_ should not allow access to the ML app.png"
[00:07:13]                   │ info Current URL is: http://localhost:61181/app/ml#/ml/
[00:07:14]                   │ info Saving page source to: /dev/shm/workspace/parallel/18/kibana/x-pack/test/functional/failure_debug/html/machine learning  permissions for user with no ML access _ft_ml_unauthorized_ should not allow access to the ML app.html
[00:07:14]                   └- ✖ fail: machine learning  permissions for user with no ML access (ft_ml_unauthorized) should not allow access to the ML app
[00:07:14]                   │      Error: expected 'Loading Elastic' to contain 'You do not have permission to access the requested page'
[00:07:14]                   │       at Assertion.assert (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:07:14]                   │       at Assertion.contain (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:442:10)
[00:07:14]                   │       at ErrorPageObject.expectForbidden (/dev/shm/workspace/parallel/18/kibana/test/functional/page_objects/error_page.ts:17:28)
[00:07:14]                   │       at runMicrotasks (<anonymous>)
[00:07:14]                   │       at processTicksAndRejections (node:internal/process/task_queues:96:5)
[00:07:14]                   │       at Context.<anonymous> (test/functional/apps/ml/permissions/no_ml_access.ts:38:11)
[00:07:14]                   │       at Object.apply (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:07:14]                   │ 
[00:07:14]                   │ 

Stack Trace

Error: expected 'Loading Elastic' to contain 'You do not have permission to access the requested page'
    at Assertion.assert (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.contain (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:442:10)
    at ErrorPageObject.expectForbidden (/dev/shm/workspace/parallel/18/kibana/test/functional/page_objects/error_page.ts:17:28)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Context.<anonymous> (test/functional/apps/ml/permissions/no_ml_access.ts:38:11)
    at Object.apply (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)

Kibana Pipeline / general / Chrome X-Pack UI Functional Tests.x-pack/test/functional/apps/ml/permissions/no_ml_access·ts.machine learning permissions for user with no ML access (ft_ml_unauthorized) should not allow access to the ML app

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

[00:00:00]     │
[00:00:00]       └-: machine learning
[00:00:00]         └-> "before all" hook in "machine learning"
[00:00:00]         └-: 
[00:00:00]           └-> "before all" hook in ""
[00:00:00]           └-> "before all" hook in ""
[00:00:00]             │ debg creating role ft_ml_source
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_source]
[00:00:00]             │ debg creating role ft_ml_source_readonly
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_source_readonly]
[00:00:00]             │ debg creating role ft_ml_dest
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_dest]
[00:00:00]             │ debg creating role ft_ml_dest_readonly
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_dest_readonly]
[00:00:00]             │ debg creating role ft_ml_ui_extras
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_ui_extras]
[00:00:00]             │ debg creating role ft_default_space_ml_all
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_all]
[00:00:00]             │ debg creating role ft_default_space1_ml_all
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space1_ml_all]
[00:00:00]             │ debg creating role ft_all_spaces_ml_all
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_all_spaces_ml_all]
[00:00:00]             │ debg creating role ft_default_space_ml_read
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_read]
[00:00:00]             │ debg creating role ft_default_space1_ml_read
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space1_ml_read]
[00:00:00]             │ debg creating role ft_all_spaces_ml_read
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_all_spaces_ml_read]
[00:00:00]             │ debg creating role ft_default_space_ml_none
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_none]
[00:00:00]             │ debg creating user ft_ml_poweruser
[00:00:00]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser]
[00:00:00]             │ debg created user ft_ml_poweruser
[00:00:00]             │ debg creating user ft_ml_poweruser_spaces
[00:00:00]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_spaces]
[00:00:00]             │ debg created user ft_ml_poweruser_spaces
[00:00:00]             │ debg creating user ft_ml_poweruser_space1
[00:00:00]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_space1]
[00:00:00]             │ debg created user ft_ml_poweruser_space1
[00:00:00]             │ debg creating user ft_ml_poweruser_all_spaces
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_all_spaces]
[00:00:01]             │ debg created user ft_ml_poweruser_all_spaces
[00:00:01]             │ debg creating user ft_ml_viewer
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer]
[00:00:01]             │ debg created user ft_ml_viewer
[00:00:01]             │ debg creating user ft_ml_viewer_spaces
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_spaces]
[00:00:01]             │ debg created user ft_ml_viewer_spaces
[00:00:01]             │ debg creating user ft_ml_viewer_space1
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_space1]
[00:00:01]             │ debg created user ft_ml_viewer_space1
[00:00:01]             │ debg creating user ft_ml_viewer_all_spaces
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_all_spaces]
[00:00:01]             │ debg created user ft_ml_viewer_all_spaces
[00:00:01]             │ debg creating user ft_ml_unauthorized
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_unauthorized]
[00:00:01]             │ debg created user ft_ml_unauthorized
[00:00:01]           └-: permissions
[00:00:01]             └-> "before all" hook in "permissions"
[00:07:15]             └-: for user with no ML access
[00:07:15]               └-> "before all" hook in "for user with no ML access"
[00:07:15]               └-: (ft_ml_unauthorized)
[00:07:15]                 └-> "before all" hook for "should not allow access to the ML app"
[00:07:15]                 └-> "before all" hook for "should not allow access to the ML app"
[00:07:15]                   │ debg SecurityPage.forceLogout
[00:07:15]                   │ debg Find.existsByDisplayedByCssSelector('.login-form') with timeout=100
[00:07:15]                   │ debg Already on the login page, not forcing anything
[00:07:15]                   │ debg TestSubjects.exists(loginForm)
[00:07:15]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="loginForm"]') with timeout=2500
[00:07:15]                   │ debg Waiting for Login Form to appear.
[00:07:15]                   │ debg Waiting up to 100000ms for login form...
[00:07:15]                   │ debg TestSubjects.exists(loginForm)
[00:07:15]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="loginForm"]') with timeout=2500
[00:07:15]                   │ debg TestSubjects.setValue(loginUsername, ft_ml_unauthorized)
[00:07:15]                   │ debg TestSubjects.click(loginUsername)
[00:07:15]                   │ debg Find.clickByCssSelector('[data-test-subj="loginUsername"]') with timeout=10000
[00:07:15]                   │ debg Find.findByCssSelector('[data-test-subj="loginUsername"]') with timeout=10000
[00:07:15]                   │ debg TestSubjects.setValue(loginPassword, mlu001)
[00:07:15]                   │ debg TestSubjects.click(loginPassword)
[00:07:15]                   │ debg Find.clickByCssSelector('[data-test-subj="loginPassword"]') with timeout=10000
[00:07:15]                   │ debg Find.findByCssSelector('[data-test-subj="loginPassword"]') with timeout=10000
[00:07:15]                   │ debg TestSubjects.click(loginSubmit)
[00:07:15]                   │ debg Find.clickByCssSelector('[data-test-subj="loginSubmit"]') with timeout=10000
[00:07:15]                   │ debg Find.findByCssSelector('[data-test-subj="loginSubmit"]') with timeout=10000
[00:07:16]                   │ proc [kibana] [2021-10-20T18:06:50.024+00:00][INFO ][plugins.security.routes] Logging in with provider "basic" (basic)
[00:07:16]                   │ debg Waiting for login result, expected: chrome.
[00:07:16]                   │ debg Find.findByCssSelector('[data-test-subj="userMenuAvatar"]') with timeout=20000
[00:07:18]                   │ debg browser[INFO] http://localhost:61181/app/home 281 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:07:18]                   │
[00:07:18]                   │ debg browser[INFO] http://localhost:61181/bootstrap.js 41:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:07:18]                   │ debg Finished login process currentUrl = http://localhost:61181/app/home#/
[00:07:18]                   │ debg Waiting up to 20000ms for logout button visible...
[00:07:18]                   │ debg TestSubjects.exists(userMenuButton)
[00:07:18]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="userMenuButton"]') with timeout=2500
[00:07:18]                   │ debg TestSubjects.exists(userMenu)
[00:07:18]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="userMenu"]') with timeout=2500
[00:07:21]                   │ debg --- retry.tryForTime error: [data-test-subj="userMenu"] is not displayed
[00:07:21]                   │ debg TestSubjects.click(userMenuButton)
[00:07:21]                   │ debg Find.clickByCssSelector('[data-test-subj="userMenuButton"]') with timeout=10000
[00:07:21]                   │ debg Find.findByCssSelector('[data-test-subj="userMenuButton"]') with timeout=10000
[00:07:21]                   │ debg TestSubjects.exists(userMenu)
[00:07:21]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="userMenu"]') with timeout=120000
[00:07:22]                   │ debg TestSubjects.exists(userMenu > logoutLink)
[00:07:22]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="userMenu"] [data-test-subj="logoutLink"]') with timeout=2500
[00:07:22]                 └-> should not allow access to the ML app
[00:07:22]                   └-> "before each" hook: global before each for "should not allow access to the ML app"
[00:07:22]                   │ debg === TEST STEP === should not load the ML overview page
[00:07:22]                   │ debg navigateToUrl http://localhost:61181/app/ml#/ml/
[00:07:22]                   │ debg browser[INFO] http://localhost:61181/app/ml?_t=1634753216075#/ml/ 281 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:07:22]                   │
[00:07:22]                   │ debg browser[INFO] http://localhost:61181/bootstrap.js 41:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:07:22]                   │ debg Find.findByCssSelector('body') with timeout=10000
[00:07:22]                   │ info Taking screenshot "/dev/shm/workspace/parallel/18/kibana/x-pack/test/functional/screenshots/failure/machine learning  permissions for user with no ML access _ft_ml_unauthorized_ should not allow access to the ML app.png"
[00:07:23]                   │ info Current URL is: http://localhost:61181/app/ml#/ml/
[00:07:23]                   │ info Saving page source to: /dev/shm/workspace/parallel/18/kibana/x-pack/test/functional/failure_debug/html/machine learning  permissions for user with no ML access _ft_ml_unauthorized_ should not allow access to the ML app.html
[00:07:23]                   └- ✖ fail: machine learning  permissions for user with no ML access (ft_ml_unauthorized) should not allow access to the ML app
[00:07:23]                   │      Error: expected 'Loading Elastic' to contain 'You do not have permission to access the requested page'
[00:07:23]                   │       at Assertion.assert (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:07:23]                   │       at Assertion.contain (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:442:10)
[00:07:23]                   │       at ErrorPageObject.expectForbidden (/dev/shm/workspace/parallel/18/kibana/test/functional/page_objects/error_page.ts:17:28)
[00:07:23]                   │       at runMicrotasks (<anonymous>)
[00:07:23]                   │       at processTicksAndRejections (node:internal/process/task_queues:96:5)
[00:07:23]                   │       at Context.<anonymous> (test/functional/apps/ml/permissions/no_ml_access.ts:38:11)
[00:07:23]                   │       at Object.apply (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:07:23]                   │ 
[00:07:23]                   │ 

Stack Trace

Error: expected 'Loading Elastic' to contain 'You do not have permission to access the requested page'
    at Assertion.assert (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.contain (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:442:10)
    at ErrorPageObject.expectForbidden (/dev/shm/workspace/parallel/18/kibana/test/functional/page_objects/error_page.ts:17:28)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Context.<anonymous> (test/functional/apps/ml/permissions/no_ml_access.ts:38:11)
    at Object.apply (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)

Kibana Pipeline / general / Chrome X-Pack UI Functional Tests Basic License.x-pack/test/functional_basic/apps/ml/permissions/no_ml_access·ts.apps machine learning basic license permissions for user with no ML access (ft_ml_unauthorized) should not allow access to the ML app

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

[00:00:00]     │
[00:00:00]       └-: apps
[00:00:00]         └-> "before all" hook in "apps"
[00:00:00]         └-: machine learning basic license
[00:00:00]           └-> "before all" hook in "machine learning basic license"
[00:00:00]           └-> "before all" hook in "machine learning basic license"
[00:00:00]             │ debg creating role ft_ml_source
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_source]
[00:00:00]             │ debg creating role ft_ml_source_readonly
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_source_readonly]
[00:00:00]             │ debg creating role ft_ml_dest
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_dest]
[00:00:00]             │ debg creating role ft_ml_dest_readonly
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_dest_readonly]
[00:00:00]             │ debg creating role ft_ml_ui_extras
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_ui_extras]
[00:00:00]             │ debg creating role ft_default_space_ml_all
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_all]
[00:00:00]             │ debg creating role ft_default_space1_ml_all
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space1_ml_all]
[00:00:00]             │ debg creating role ft_all_spaces_ml_all
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_all_spaces_ml_all]
[00:00:00]             │ debg creating role ft_default_space_ml_read
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_read]
[00:00:00]             │ debg creating role ft_default_space1_ml_read
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space1_ml_read]
[00:00:00]             │ debg creating role ft_all_spaces_ml_read
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_all_spaces_ml_read]
[00:00:00]             │ debg creating role ft_default_space_ml_none
[00:00:00]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_none]
[00:00:00]             │ debg creating user ft_ml_poweruser
[00:00:00]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser]
[00:00:00]             │ debg created user ft_ml_poweruser
[00:00:00]             │ debg creating user ft_ml_poweruser_spaces
[00:00:00]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_spaces]
[00:00:00]             │ debg created user ft_ml_poweruser_spaces
[00:00:00]             │ debg creating user ft_ml_poweruser_space1
[00:00:00]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_space1]
[00:00:00]             │ debg created user ft_ml_poweruser_space1
[00:00:00]             │ debg creating user ft_ml_poweruser_all_spaces
[00:00:00]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_all_spaces]
[00:00:00]             │ debg created user ft_ml_poweruser_all_spaces
[00:00:00]             │ debg creating user ft_ml_viewer
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer]
[00:00:01]             │ debg created user ft_ml_viewer
[00:00:01]             │ debg creating user ft_ml_viewer_spaces
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_spaces]
[00:00:01]             │ debg created user ft_ml_viewer_spaces
[00:00:01]             │ debg creating user ft_ml_viewer_space1
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_space1]
[00:00:01]             │ debg created user ft_ml_viewer_space1
[00:00:01]             │ debg creating user ft_ml_viewer_all_spaces
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_all_spaces]
[00:00:01]             │ debg created user ft_ml_viewer_all_spaces
[00:00:01]             │ debg creating user ft_ml_unauthorized
[00:00:01]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_unauthorized]
[00:00:01]             │ debg created user ft_ml_unauthorized
[00:00:01]           └-: permissions
[00:00:01]             └-> "before all" hook in "permissions"
[00:02:14]             └-: for user with no ML access
[00:02:14]               └-> "before all" hook in "for user with no ML access"
[00:02:14]               └-: (ft_ml_unauthorized)
[00:02:14]                 └-> "before all" hook for "should not allow access to the ML app"
[00:02:14]                 └-> "before all" hook for "should not allow access to the ML app"
[00:02:14]                   │ debg SecurityPage.forceLogout
[00:02:14]                   │ debg Find.existsByDisplayedByCssSelector('.login-form') with timeout=100
[00:02:14]                   │ debg Already on the login page, not forcing anything
[00:02:14]                   │ debg TestSubjects.exists(loginForm)
[00:02:14]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="loginForm"]') with timeout=2500
[00:02:14]                   │ debg Waiting for Login Form to appear.
[00:02:14]                   │ debg Waiting up to 100000ms for login form...
[00:02:14]                   │ debg TestSubjects.exists(loginForm)
[00:02:14]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="loginForm"]') with timeout=2500
[00:02:14]                   │ debg TestSubjects.setValue(loginUsername, ft_ml_unauthorized)
[00:02:14]                   │ debg TestSubjects.click(loginUsername)
[00:02:14]                   │ debg Find.clickByCssSelector('[data-test-subj="loginUsername"]') with timeout=10000
[00:02:14]                   │ debg Find.findByCssSelector('[data-test-subj="loginUsername"]') with timeout=10000
[00:02:14]                   │ debg TestSubjects.setValue(loginPassword, mlu001)
[00:02:14]                   │ debg TestSubjects.click(loginPassword)
[00:02:14]                   │ debg Find.clickByCssSelector('[data-test-subj="loginPassword"]') with timeout=10000
[00:02:14]                   │ debg Find.findByCssSelector('[data-test-subj="loginPassword"]') with timeout=10000
[00:02:14]                   │ debg TestSubjects.click(loginSubmit)
[00:02:14]                   │ debg Find.clickByCssSelector('[data-test-subj="loginSubmit"]') with timeout=10000
[00:02:14]                   │ debg Find.findByCssSelector('[data-test-subj="loginSubmit"]') with timeout=10000
[00:02:15]                   │ debg Waiting for login result, expected: chrome.
[00:02:15]                   │ debg Find.findByCssSelector('[data-test-subj="userMenuAvatar"]') with timeout=20000
[00:02:15]                   │ proc [kibana] [2021-10-20T18:20:17.029+00:00][INFO ][plugins.security.routes] Logging in with provider "basic" (basic)
[00:02:17]                   │ debg browser[INFO] http://localhost:61171/app/home 281 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:02:17]                   │
[00:02:17]                   │ debg browser[INFO] http://localhost:61171/bootstrap.js 41:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:02:17]                   │ debg Finished login process currentUrl = http://localhost:61171/app/home#/
[00:02:17]                   │ debg Waiting up to 20000ms for logout button visible...
[00:02:17]                   │ debg TestSubjects.exists(userMenuButton)
[00:02:17]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="userMenuButton"]') with timeout=2500
[00:02:17]                   │ debg TestSubjects.exists(userMenu)
[00:02:17]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="userMenu"]') with timeout=2500
[00:02:20]                   │ debg --- retry.tryForTime error: [data-test-subj="userMenu"] is not displayed
[00:02:20]                   │ debg TestSubjects.click(userMenuButton)
[00:02:20]                   │ debg Find.clickByCssSelector('[data-test-subj="userMenuButton"]') with timeout=10000
[00:02:20]                   │ debg Find.findByCssSelector('[data-test-subj="userMenuButton"]') with timeout=10000
[00:02:21]                   │ debg TestSubjects.exists(userMenu)
[00:02:21]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="userMenu"]') with timeout=120000
[00:02:21]                   │ debg TestSubjects.exists(userMenu > logoutLink)
[00:02:21]                   │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="userMenu"] [data-test-subj="logoutLink"]') with timeout=2500
[00:02:21]                 └-> should not allow access to the ML app
[00:02:21]                   └-> "before each" hook: global before each for "should not allow access to the ML app"
[00:02:21]                   │ debg === TEST STEP === should not load the ML overview page
[00:02:21]                   │ debg navigateToUrl http://localhost:61171/app/ml#/ml/
[00:02:21]                   │ debg browser[INFO] http://localhost:61171/app/ml?_t=1634754023138#/ml/ 281 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:02:21]                   │
[00:02:21]                   │ debg browser[INFO] http://localhost:61171/bootstrap.js 41:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:02:21]                   │ debg Find.findByCssSelector('body') with timeout=10000
[00:02:21]                   │ info Taking screenshot "/dev/shm/workspace/parallel/17/kibana/x-pack/test/functional/screenshots/failure/apps machine learning basic license permissions for user with no ML access _ft_ml_unauthorized_ should not allow access to the ML app.png"
[00:02:22]                   │ info Current URL is: http://localhost:61171/app/ml#/ml/
[00:02:22]                   │ info Saving page source to: /dev/shm/workspace/parallel/17/kibana/x-pack/test/functional/failure_debug/html/apps machine learning basic license permissions for user with no ML access _ft_ml_unauthorized_ should not allow access to the ML app.html
[00:02:22]                   └- ✖ fail: apps machine learning basic license permissions for user with no ML access (ft_ml_unauthorized) should not allow access to the ML app
[00:02:22]                   │      Error: expected 'Loading Elastic' to contain 'You do not have permission to access the requested page'
[00:02:22]                   │       at Assertion.assert (/dev/shm/workspace/parallel/17/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:02:22]                   │       at Assertion.contain (/dev/shm/workspace/parallel/17/kibana/node_modules/@kbn/expect/expect.js:442:10)
[00:02:22]                   │       at ErrorPageObject.expectForbidden (/dev/shm/workspace/parallel/17/kibana/test/functional/page_objects/error_page.ts:17:28)
[00:02:22]                   │       at runMicrotasks (<anonymous>)
[00:02:22]                   │       at processTicksAndRejections (node:internal/process/task_queues:96:5)
[00:02:22]                   │       at Context.<anonymous> (test/functional_basic/apps/ml/permissions/no_ml_access.ts:36:11)
[00:02:22]                   │       at Object.apply (/dev/shm/workspace/parallel/17/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:02:22]                   │ 
[00:02:22]                   │ 

Stack Trace

Error: expected 'Loading Elastic' to contain 'You do not have permission to access the requested page'
    at Assertion.assert (/dev/shm/workspace/parallel/17/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.contain (/dev/shm/workspace/parallel/17/kibana/node_modules/@kbn/expect/expect.js:442:10)
    at ErrorPageObject.expectForbidden (/dev/shm/workspace/parallel/17/kibana/test/functional/page_objects/error_page.ts:17:28)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Context.<anonymous> (test/functional_basic/apps/ml/permissions/no_ml_access.ts:36:11)
    at Object.apply (/dev/shm/workspace/parallel/17/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)

and 1 more failures, only showing the first 3.

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@jportner jportner self-requested a review October 20, 2021 19:38
@XavierM
Copy link
Contributor Author

XavierM commented Oct 21, 2021

@elasticmachine merge upstream

@XavierM XavierM marked this pull request as ready for review October 21, 2021 18:26
@XavierM XavierM requested a review from a team as a code owner October 21, 2021 18:26
Copy link
Contributor

@jportner jportner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job on this, I think all your changes look great!

I wonder if we should add some more tests though -- it looks like we effectively don't have any ML integration tests that make assertions for users that have base privileges.

we have tests for these authorized users:

  • ML_POWERUSER (ft_ml_poweruser) - access granted to ML via the machine_learning_admin reserved role
  • ML_POWERUSER_SPACES (ft_ml_poweruser_spaces) - explicit access to ML in the default space
  • ML_POWERUSER_SPACE1 (ft_ml_poweruser_space1) - explicit access to ML in the space1 space
  • ML_POWERUSER_ALL_SPACES (ft_ml_poweruser_all_spaces) - explicit access to ML in all spaces
  • ML_VIEWER (ft_ml_viewer) - access granted via the machine_learning_user reserved role
  • ML_VIEWER_SPACES (ft_ml_viewer_spaces) - explicit access to ML in the default spac
  • ML_VIEWER_SPACE1 (ft_ml_viewer_space1) - explicit access to ML in the space1 space
  • ML_VIEWER_ALL_SPACES (ft_ml_viewer_all_spaces) - explicit access to ML in all spaces

I don't think we should make two additional users to test implicit access (base privileges). Instead, I think we should change ML_POWERUSER_ALL_SPACES and ML_VIEWER_ALL_SPACES to use base privileges. E.g., change these two roles to the following:

{
  name: 'ft_all_spaces_ml_all',
  elasticsearch: { cluster: [], indices: [], run_as: [] },
  kibana: [
    {
      base: ['all'],
      feature: {},
      spaces: ['*'],
    },
  ],
},
...
{
  name: 'ft_all_spaces_ml_read',
  elasticsearch: { cluster: [], indices: [], run_as: [] },
  kibana: [
    {
      base: ['read'],
      feature: {},
      spaces: ['*'],
    },
  ],
},

WDYT?

@@ -103,5 +103,75 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
expect(navLinks).to.contain('Machine Learning');
});
});

describe('ml read', () => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like these tests that you added for explicit read / explicit none

@XavierM
Copy link
Contributor Author

XavierM commented Oct 21, 2021

I like your suggestion about these two roles ft_all_spaces_ml_all and ft_all_spaces_ml_read with just base access. It makes sense.

@jgowdyelastic
Copy link
Member

cc @pheyos regarding tests and user changes

@jportner
Copy link
Contributor

jportner commented Oct 26, 2021

I'm not sure what is causing the module integration test failures. It seems that the "ft_ml_poweruser" user does not have enough privileges to access the "apache_data_stream" and "nginx_data_stream" modules, but I'm not sure why. I attempted adding extra feature privileges to the "ft_all_space_ml_none" role (siem, apm, and fleet) but none of those made a difference. Perhaps @pheyos will be able to shed some light on this.

@pheyos
Copy link
Member

pheyos commented Oct 26, 2021

To summarize the failing test investigation and slack discussion:
Additional features are needed in the ft_all_space_ml_none role for some of the tests to pass: savedObjectsManagement: ['all'] and advancedSettings: ['all']

@pheyos
Copy link
Member

pheyos commented Oct 26, 2021

There's another test failure (I think this was hidden by a different failure before). We also have a test where we modify an index pattern / data view. I haven't tested it, but I think this means we also need indexPatterns:['all'].

@XavierM
Copy link
Contributor Author

XavierM commented Oct 26, 2021

@elasticmachine merge upstream

@jportner
Copy link
Contributor

@elasticmachine merge upstream

@legrego legrego changed the title [ML] include ML in base privilege Grant access to machine learning features when base privileges are used Oct 26, 2021
Copy link
Member

@pheyos pheyos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM on green CI.

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@jportner jportner merged commit 852a728 into elastic:master Oct 26, 2021
jloleysens added a commit to jloleysens/kibana that referenced this pull request Oct 27, 2021
…-migrate-away-from-injected-css-js

* 'master' of github.com:elastic/kibana: (61 commits)
  [ML] Nodes overview for the Model Management page (elastic#116361)
  [Uptime] Uptime index config using kibana.yml (elastic#115775)
  [Controls] Dashboard Integration (elastic#115991)
  skip flaky suite (elastic#104260)
  Include Files in GitHub UI (elastic#115956)
  skip flaky suite (elastic#116060)
  [Canvas] By-Value Embeddables (elastic#113827)
  Skip failing test (elastic#115366)
  [Osquery] Fix live query search doesn't return relevant results for agents (elastic#116332)
  [Integrations] Added link in old Add Data description and fixed alignment in cards (elastic#116213)
  [Actions] Extended ActionTypeRegistry with connector validation to validate config with secrets (elastic#116079)
  skip flaky suite (elastic#109329)
  Grant access to machine learning features when base privileges are used (elastic#115444)
  Skipping failing test (elastic#84957)
  [RAC][Security Solution] Adds migration to new SecuritySolution rule types (elastic#112113)
  skip flaky suite (elastic#115366)
  [Fleet] Marking API spec as experimental (elastic#116331)
  [Docs] Cleaning up the versions in the upgrade paths. Closes elastic#116223 (elastic#116228)
  [Reporting] Suppress debug logs in the mock logger (elastic#116012)
  [Metrics UI] Clear threshold alert groups state when filterQuery changes (elastic#116205)
  ...

# Conflicts:
#	src/plugins/dashboard/public/application/embeddable/dashboard_container.tsx
#	src/plugins/dashboard/public/types.ts
@kibanamachine kibanamachine added the backport missing Added to PRs automatically when the are determined to be missing a backport. label Oct 28, 2021
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 115444 or prevent reminders by adding the backport:skip label.

1 similar comment
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 115444 or prevent reminders by adding the backport:skip label.

@spalger spalger added the backport:skip This commit does not require backporting label Nov 1, 2021
@kibanamachine kibanamachine removed the backport missing Added to PRs automatically when the are determined to be missing a backport. label Nov 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting Breaking Change release_note:breaking Team:ML Team label for ML (also use :ml) Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Include ML in base privileges
8 participants