Deprecate or warn for system indices in user-defined roles #76713
Labels
:Core/Infra/Core
Core issues without another label
>enhancement
:Security/Authorization
Roles, Privileges, DLS/FLS, RBAC/ABAC
Team:Core/Infra
Meta label for core/infra team
Team:Security
Meta label for security team
Comments
williamrandolph
added
>enhancement
:Core/Infra/Core
elasticmachine
added
Team:Core/Infra
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
|
Pinging @elastic/es-security (Team:Security) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a follow-up from a suggestion that @albertzaharovits made in #74212.
If a user currently has an index permission in a user-defined role that specifies only system indices, do we need to issue a deprecation warning? Or should we
We need to find out what the application behavior would be in this situation and determine whether or not we can successfully identify this situation. We don't want to issue warnings in cases where the index permission patterns can cover system indices as well as other indices; consider the trivial case of "*" for all indices, which should be allowed. But if a user has created an alternate permission for
.security-*or.kibana, what will happen? Do we need to warn about this case or just let it fail silently?It's possible that we already do some kind of checking or handling here, in which case we can close this issue.
The text was updated successfully, but these errors were encountered: