Add support for licensed sub feature privileges (#80905)

elastic · Nov 16, 2020 · fe33579 · fe33579
1 parent bc3bb2a
commit fe33579
Show file tree

Hide file tree

Showing 22 changed files with 1,641 additions and 55 deletions.
diff --git a/docs/developer/architecture/security/feature-registration.asciidoc b/docs/developer/architecture/security/feature-registration.asciidoc
@@ -198,7 +198,10 @@ server.route({
 === Example 3: Discover
 
 Discover takes advantage of subfeature privileges to allow fine-grained access control. In this example,
-a single "Create Short URLs" subfeature privilege is defined, which allows users to grant access to this feature without having to grant the `all` privilege to Discover. In other words, you can grant `read` access to Discover, and also grant the ability to create short URLs.
+two subfeature privileges are defined: "Create Short URLs", and "Generate PDF Reports". These allow users to grant access to this feature without having to grant the `all` privilege to Discover. In other words, you can grant `read` access to Discover, and also grant the ability to create short URLs or generate PDF reports.
+
+Notice the "Generate PDF Reports" subfeature privilege has an additional `minimumPrivilege` option. Kibana will only offer this subfeature privilege if the
+license requirement is satisfied.
 
 ["source","javascript"]
 -----------
@@ -259,6 +262,28 @@ public setup(core, { features }) {
                 },
               ],
             },
+            {
+              groupType: 'independent',
+              privileges: [
+                {
+                  id: 'pdf_generate',
+                  name: i18n.translate(
+                    'xpack.features.ossFeatures.discoverGeneratePDFReportsPrivilegeName',
+                    {
+                      defaultMessage: 'Generate PDF Reports',
+                    }
+                  ),
+                  minimumLicense: 'platinum',
+                  includeIn: 'all',
+                  savedObject: {
+                    all: [],
+                    read: [],
+                  },
+                  api: ['generatePDFReports'],
+                  ui: ['generatePDFReports'],
+                },
+              ],
+            },
           ],
         },
       ],

diff --git a/x-pack/plugins/features/common/sub_feature.ts b/x-pack/plugins/features/common/sub_feature.ts
@@ -5,6 +5,7 @@
  */
 
 import { RecursiveReadonly } from '@kbn/utility-types';
+import { LicenseType } from '../../licensing/common/types';
 import { FeatureKibanaPrivileges } from './feature_kibana_privileges';
 
 /**
@@ -68,6 +69,13 @@ export interface SubFeaturePrivilegeConfig
    * `read` is also included in `all` automatically.
    */
   includeIn: 'all' | 'read' | 'none';
+
+  /**
+   * The minimum supported license level for this sub-feature privilege.
+   * If no license level is supplied, then this privilege will be available for all licences
+   * that are valid for the overall feature.
+   */
+  minimumLicense?: LicenseType;
 }
 
 export class SubFeature {