Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setting xpack.telemetry.enabled to false prevents access to roles ui #43208

Closed
rashmivkulkarni opened this issue Aug 13, 2019 · 10 comments · Fixed by #43312
Closed

Setting xpack.telemetry.enabled to false prevents access to roles ui #43208

rashmivkulkarni opened this issue Aug 13, 2019 · 10 comments · Fixed by #43312
Labels
bug Fixes for quality problems that affect the customer experience v7.3.0

Comments

@rashmivkulkarni
Copy link
Contributor

If I disable the xpack.telemetry.enabled setting I can't create or edit roles in the kibana ui.
The /app/kibana#/management/security/roles site is accessable,
but /app/kibana#/management/security/roles/edit is not.

Tested with Version 7.3.0 on Windows 10.

No Warning or Error logs.

Elasticsearch's roles API works fine.

Steps:
Download and extract es and kibana zips.
elasticsearch.yml:
xpack.security.enabled: true
Start es
elasticsearch-setup-passwords auto
kibana.yml:
elasticsearch.username: "kibana"
elasticsearch.password: "ThePwd"
xpack.telemetry.enabled: false
Start kibana
Login -> Management -> Roles
Click on "Create Role" -> Nothing happens

The browser console text says:
kibana#/home?_g=():372 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'nonce-b5qHXrSTHq59PM2x'". Either the 'unsafe-inline' keyword, a hash ('sha256-SHHSeLc0bp6xt4BoVVyUy+3IbVqp3ujLaR+s+kSP5UI='), or a nonce ('nonce-...') is required to enable inline execution.

bootstrap.js:10 ^ A single error about an inline script not firing due to content security policy is expected!

vendors.bundle.dll.js:600 INFO: 2019-08-13T08:16:09Z Adding connection to http://localhost:5601/elasticsearch

Verbose Level:
vendors.bundle.dll.js:493 [Violation] 'setTimeout' handler took 142ms vendors.bundle.dll.js:499 [Violation] 'load' handler took 152ms vendors.bundle.dll.js:499 [Violation] 'load' handler took 220ms
The verbose kibana output while clicking on "Roles" and then on "Create Role":
ops [08:33:09.663] memory: 213.7MB uptime: 0:19:59 load: [0.00 0.00 0.00] delay: 0.098
log [08:33:09.815] [debug][plugin] Checking Elasticsearch version
log [08:33:11.737] [debug][kibana-monitoring][monitoring] Received Kibana Ops event data
log [08:33:11.738] [debug][kibana-monitoring][monitoring] Received Kibana Ops event data
log [08:33:11.739] [debug][basic][security] Trying to authenticate user request to /api/security/v1/me.
log [08:33:11.740] [debug][basic][security] Trying to authenticate via login attempt.
log [08:33:11.740] [debug][basic][security] Username and password not found in payload.
log [08:33:11.740] [debug][basic][security] Trying to authenticate via header.
log [08:33:11.741] [debug][basic][security] Authorization header is not presented.
log [08:33:11.741] [debug][basic][security] Trying to authenticate via state.
log [08:33:11.743] [debug][basic][security] Request has been authenticated via state.
respons [08:33:11.738] GET /api/security/v1/me 200 14ms - 9.0B
log [08:33:12.011] [debug][basic][security] Trying to authenticate user request to /api/security/role.
log [08:33:12.011] [debug][basic][security] Trying to authenticate via login attempt.
log [08:33:12.011] [debug][basic][security] Username and password not found in payload.
log [08:33:12.012] [debug][basic][security] Trying to authenticate via header.
log [08:33:12.012] [debug][basic][security] Authorization header is not presented.
log [08:33:12.013] [debug][basic][security] Trying to authenticate via state.
log [08:33:12.033] [debug][basic][security] Request has been authenticated via state.
respons [08:33:12.010] GET /api/security/role 200 35ms - 9.0B
log [08:33:12.326] [debug][plugin] Checking Elasticsearch version
log [08:33:13.142] [debug][kibana-monitoring][monitoring] Received Kibana Ops event data
log [08:33:13.143] [debug][kibana-monitoring][monitoring] Received Kibana Ops event data
log [08:33:13.372] [debug][basic][security] Trying to authenticate user request to /api/security/v1/users.
log [08:33:13.373] [debug][basic][security] Trying to authenticate via login attempt.
log [08:33:13.373] [debug][basic][security] Username and password not found in payload.
log [08:33:13.374] [debug][basic][security] Trying to authenticate via header.
log [08:33:13.375] [debug][basic][security] Authorization header is not presented.
log [08:33:13.375] [debug][basic][security] Trying to authenticate via state.
log [08:33:13.377] [debug][basic][security] Request has been authenticated via state.
respons [08:33:13.371] GET /api/security/v1/users 200 21ms - 9.0B
log [08:33:13.396] [debug][basic][security] Trying to authenticate user request to /api/security/v1/me.
log [08:33:13.398] [debug][basic][security] Trying to authenticate via login attempt.
log [08:33:13.399] [debug][basic][security] Username and password not found in payload.
log [08:33:13.399] [debug][basic][security] Trying to authenticate via header.
log [08:33:13.400] [debug][basic][security] Authorization header is not presented.
log [08:33:13.400] [debug][basic][security] Trying to authenticate via state.
log [08:33:13.402] [debug][basic][security] Request has been authenticated via state.
respons [08:33:13.395] GET /api/security/v1/me 200 15ms - 9.0B
log [08:33:13.414] [debug][basic][security] Trying to authenticate user request to /api/saved_objects/_find?type=index-pattern&per_page=10000.
log [08:33:13.415] [debug][basic][security] Trying to authenticate via login attempt.
log [08:33:13.416] [debug][basic][security] Username and password not found in payload.
log [08:33:13.417] [debug][basic][security] Trying to authenticate via header.
log [08:33:13.417] [debug][basic][security] Authorization header is not presented.
log [08:33:13.418] [debug][basic][security] Trying to authenticate via state.
log [08:33:13.420] [debug][basic][security] Request has been authenticated via state.
respons [08:33:13.412] GET /api/saved_objects/_find?type=index-pattern&per_page=10000&page=1&default_search_operator=OR 200 27ms - 9.0B
log [08:33:13.442] [debug][basic][security] Trying to authenticate user request to /api/security/privileges?includeActions=true.
log [08:33:13.443] [debug][basic][security] Trying to authenticate via login attempt.
log [08:33:13.443] [debug][basic][security] Username and password not found in payload.
log [08:33:13.444] [debug][basic][security] Trying to authenticate via header.
log [08:33:13.444] [debug][basic][security] Authorization header is not presented.
log [08:33:13.444] [debug][basic][security] Trying to authenticate via state.
log [08:33:13.449] [debug][basic][security] Request has been authenticated via state.
respons [08:33:13.441] GET /api/security/privileges?includeActions=true 200 35ms - 9.0B
log [08:33:13.506] [debug][basic][security] Trying to authenticate user request to /api/features/v1.
log [08:33:13.508] [debug][basic][security] Trying to authenticate via login attempt.
log [08:33:13.508] [debug][basic][security] Username and password not found in payload.
log [08:33:13.518] [debug][basic][security] Trying to authenticate via header.
log [08:33:13.520] [debug][basic][security] Authorization header is not presented.
log [08:33:13.537] [debug][basic][security] Trying to authenticate via state.
log [08:33:13.548] [debug][basic][security] Request has been authenticated via state.
respons [08:33:13.493] [access:features] GET /api/features/v1 200 108ms - 9.0B
ops [08:33:14.661] memory: 196.7MB uptime: 0:20:04 load: [0.00 0.00 0.00] delay: 0.097
log [08:33:14.828] [debug][plugin] Checking Elasticsearch version
@rashmivkulkarni rashmivkulkarni added bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.3.0 labels Aug 13, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security

@legrego
Copy link
Member

legrego commented Aug 13, 2019

It looks like the telemetry plugin incorrectly defines the spacesEnabled default variable. This used to belong to the xpack_main plugin, which we don't support disabling. At some point, this must have been moved to the telemetry plugin, but I'm not sure why.

The security plugin relies on this to determine which version of the role management screen to display.

@kobelb
Copy link
Contributor

kobelb commented Aug 13, 2019

It looks like the telemetry plugin incorrectly defines the spacesEnabled default variable. This used to belong to the xpack_main plugin, which we don't support disabling. At some point, this must have been moved to the telemetry plugin, but I'm not sure why.

The security plugin relies on this to determine which version of the role management screen to display.

Nice detective work!! This seems like something the "telemetry team" should fix then?

@rashmivkulkarni rashmivkulkarni added the Team:Visualizations Visualization editors, elastic-charts and infrastructure label Aug 14, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-app

@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-stack-services

@rashmivkulkarni rashmivkulkarni removed the Team:Visualizations Visualization editors, elastic-charts and infrastructure label Aug 14, 2019
@rashmivkulkarni
Copy link
Contributor Author

adding the stack services team as well - since they own Telemetry I think.

@kobelb kobelb removed the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Aug 14, 2019
@bmcconaghy bmcconaghy added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Aug 14, 2019
@bmcconaghy
Copy link
Contributor

Adding security team to this as they own this UI.

@kobelb
Copy link
Contributor

kobelb commented Aug 14, 2019

It looks like the telemetry plugin incorrectly defines the spacesEnabled default variable. This used to belong to the xpack_main plugin, which we don't support disabling. At some point, this must have been moved to the telemetry plugin, but I'm not sure why.

The security plugin relies on this to determine which version of the role management screen to display.

Nice detective work!! This seems like something the "telemetry team" should fix then?

@bmcconaghy this bug was introduced by a telemetry PR which errantly moved

spacesEnabled: config.get('xpack.spaces.enabled'),
from being specified in x-pack main, to only being specified in the telemetry plugin. So, when the telemetry plugin is disabled, it breaks our Roles UI and potentially other things.

@kobelb kobelb removed the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Aug 14, 2019
@bmcconaghy
Copy link
Contributor

@kobelb yup that sounds like our issue to fix then. Thanks for tracking this down to the details.

@Bamieh
Copy link
Member

Bamieh commented Aug 14, 2019

Thanks for tracking this down @kobelb @legrego .

This bug was introduced when I moved telemetry out of xpack_main. I did search the xpack_main plugin for spaces variables usage and the only place this variable was used was within telemetry code so I assumed it would be safe to move it with the plugin. PR submitted that re-adds the spaces variables back to the plugin. I ran the code locally and it seems that the PR resolves the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience v7.3.0
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants