Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Omit runtime fields from FLS suggestions #78330

Merged
merged 6 commits into from
Oct 1, 2020

Conversation

legrego
Copy link
Member

@legrego legrego commented Sep 23, 2020

Summary

Runtime fields are not securable via FLS - it's technically possible to assign them as a granted/denied field, but this is effectively a no-op. In order to avoid confusion, we are updating the list of available options to omit runtime fields.

Resolves #78329

@legrego legrego added release_note:enhancement Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.10.0 v8.0.0 labels Sep 24, 2020
@@ -8,6 +8,20 @@ import { schema } from '@kbn/config-schema';
import { RouteDefinitionParams } from '../index';
import { wrapIntoCustomErrorResponse } from '../../errors';

interface FieldMappingResponse {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Improved type safety, at least until we can migrate away from the legacy ES client.

@legrego legrego marked this pull request as ready for review September 24, 2020 12:06
@legrego legrego requested a review from a team as a code owner September 24, 2020 12:06
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@legrego
Copy link
Member Author

legrego commented Sep 28, 2020

@elasticmachine merge upstream

@azasypkin
Copy link
Member

ACK: will review today

@azasypkin azasypkin self-requested a review September 30, 2020 07:19
Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! Tested locally and works as expected, just one nit and a question.

x-pack/test/api_integration/apis/security/index_fields.ts Outdated Show resolved Hide resolved
// 4. Use `Set` to get only unique field names.
const fields = Array.from(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: how do you feel about adding a simple jest test to test this logic?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, will do!


const isRuntimeField = hasMapping && mappingValues[0]?.type === 'runtime';

// fields without mappings are internal fields such as `_routing` and `_index`,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@legrego legrego merged commit 4525f0c into elastic:master Oct 1, 2020
@legrego legrego deleted the security/fls-omit-runtime-fields branch October 1, 2020 12:26
legrego added a commit that referenced this pull request Oct 1, 2020
Co-authored-by: Aleh Zasypkin <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>

Co-authored-by: Aleh Zasypkin <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>
spalger added a commit to spalger/kibana that referenced this pull request Oct 7, 2020
spalger added a commit to spalger/kibana that referenced this pull request Oct 7, 2020
spalger added a commit that referenced this pull request Oct 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backported release_note:enhancement Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.11.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Omit runtime fields from Role Management FLS field selector
4 participants