Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ML] Update file data visualizer permissions #101169

Conversation

jgowdyelastic
Copy link
Member

@jgowdyelastic jgowdyelastic commented Jun 2, 2021

Removes the ML supplied capability access:fileUpload:import and adds fileUpload:analyzeFile to Discover's api all capabilities so the feature can be used in Home's Add Data page without the user needing any ML permissions.
Using Discover's capabilities was suggested here as the ability to analyze a file should be a very low permission and it is reasonable to assume that a user with the ability to use Discover could also have the ability to analyze a file.

If the file analysis fails with a 403 a permission warning is shown.

image

@lcawl or @szabosteve can you please check the wording of the warning for me?

Checklist

Delete any items that are not applicable to this PR.

@jgowdyelastic
Copy link
Member Author

@elasticmachine merge upstream

@jgowdyelastic
Copy link
Member Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

merge conflict between base and head

@jgowdyelastic
Copy link
Member Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

merge conflict between base and head

@jgowdyelastic
Copy link
Member Author

@elasticmachine merge upstream

@jgowdyelastic jgowdyelastic self-assigned this Jun 18, 2021
@jgowdyelastic jgowdyelastic added :ml Feature:File and Index Data Viz ML file and index data visualizer non-issue Indicates to automation that a pull request should not appear in the release notes release_note:skip Skip the PR/issue when compiling release notes review v7.14.0 v8.0.0 auto-backport Deprecated - use backport:version if exact versions are needed labels Jun 18, 2021
@droberts195
Copy link
Contributor

IMO, the ability to analyse a file should not require a high level of permissions

Yes, I agree. This stage is only telling the user things about the file they uploaded, and could have worked out themselves by counting things in a text editor on their machine if they had the time and inclination. They can cause CPU usage in Elasticsearch by analysing lots of files, although they can do that anyway by running searches. So I think for the file analysis stage of the process a very low level of permissions is adequate. Something on a par with using Discover.

Then, as people have said, to actually import the file you need to be able to create an index, create an ingest pipeline and index documents into that index. But that's always been the case and has always been controlled using ES permissions.

I can't remember what decisions were made when the _text_structure/find_structure was added and why monitor_text_structure was used.

In Elasticsearch every action has to have an action name and the permissions allow you to use actions whose name begins with a certain prefix. All the action names that are for cluster actions rather than index actions and which don't make changes begin with monitor. Then the monitor cluster privilege lets you call all those actions. However, even though it's giving access to read-only actions, monitor is still a pretty high level of privilege because it lets you get the cluster state, and if you can get the cluster state then you can find out an enormous amount of information that might allow you to attack the cluster in other ways.

When _text_structure/find_structure was _ml/find_file_structure the lower privilege level that gave access was monitor_ml. When we moved it out of the ML plugin monitor_ml no longer gave access. So we added a new privilege, monitor_text_structure, to give admins a way to grant users access to the action without having to give them monitor (which is too high for a lowly user). However, that doesn't mean it's friendly for Kibana to require that lowly Kibana users have that Elasticsearch privilege.

To summarise, I think it's fine to either not protect the analysis step (beyond having to log into Kibana) and bearing in mind that the upload privilege checks that happen naturally due to creating an index and an ingest pipeline protect the upload step or protect the analysis step with a really basic Kibana privilege like being allowed to use Discover or something else that's widely granted, again with the upload step protected naturally.

@jgowdyelastic
Copy link
Member Author

@elasticmachine merge upstream

@jgowdyelastic
Copy link
Member Author

@elasticmachine merge upstream

@jgowdyelastic jgowdyelastic requested a review from a team as a code owner June 29, 2021 10:59
@jgowdyelastic
Copy link
Member Author

@legrego i've updated this PR with your suggested changes. Could you please take a look. Also I'm not that happy with the text in the error callout, but I can't think of a better way of wording it.

@@ -37,6 +37,7 @@ export const buildOSSFeatures = ({
privileges: {
all: {
app: ['discover', 'kibana'],
api: ['fileUpload:analyzeFile'],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know we discussed Discover as one example of a feature that should grant this functionality, but is that the only one? If I'm reading this right, it looks like we are taking this away from the maps and ml features, which would surprise our users when they upgrade

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, failing tests have just shown that ML still needs to supply this privilege.
Maps does not as it does not use the file structure finder feature.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in 3d3c2c0

>
<FormattedMessage
id="xpack.dataVisualizer.file.fileErrorCallouts.findFileStructurePermissionDenied.description"
defaultMessage="You do not have sufficient privileges to analyze files."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this updated text 👍

@qn895
Copy link
Member

qn895 commented Jun 29, 2021

Code LGTM 🎉

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
dataVisualizer 1.1MB 1.1MB +1.3KB
ml 5.9MB 5.9MB -20.0B
total +1.3KB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @jgowdyelastic

@jgowdyelastic jgowdyelastic merged commit 21dad7e into elastic:master Jun 29, 2021
kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Jun 29, 2021
* [ML] Update file data visualizer permissions

* adding home bundle

* fixing translations

* removing home from bundles

* switching to current user for analysis

* adding find structure permission check

* clean up

* updating text

* updating maps

* removing has_find_file_structure_permission endpoint

* removing more code

* adding permission error message

* renaming variable

* adding fileUpload:analyzeFile back into ML

* updating error text

* updating snapshots

Co-authored-by: Kibana Machine <[email protected]>
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

@jgowdyelastic jgowdyelastic deleted the update-file-data-visualizer-permissions branch June 30, 2021 08:09
jgowdyelastic added a commit that referenced this pull request Jun 30, 2021
* [ML] Update file data visualizer permissions

* adding home bundle

* fixing translations

* removing home from bundles

* switching to current user for analysis

* adding find structure permission check

* clean up

* updating text

* updating maps

* removing has_find_file_structure_permission endpoint

* removing more code

* adding permission error message

* renaming variable

* adding fileUpload:analyzeFile back into ML

* updating error text

* updating snapshots

Co-authored-by: Kibana Machine <[email protected]>

Co-authored-by: James Gowdy <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed Feature:File and Index Data Viz ML file and index data visualizer :ml non-issue Indicates to automation that a pull request should not appear in the release notes release_note:skip Skip the PR/issue when compiling release notes review v7.14.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants