Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Reporting] Kibana Application Privileges for Reporting #94966

Merged
merged 43 commits into from
Apr 21, 2021
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
43 commits
Select commit Hold shift + click to select a range
114e6fe
Implement Reporting features as subfeatures of applications
tsullivan Apr 12, 2021
fe4d0b6
add setting to the docker list
tsullivan Apr 14, 2021
dc1389d
update doc images
tsullivan Apr 14, 2021
7ffecd5
finish docs
tsullivan Apr 15, 2021
3827e2d
Apply suggestions from code review
tsullivan Apr 15, 2021
29fb231
Apply suggestions from code review
tsullivan Apr 15, 2021
9b675f9
Apply suggestions from code review
tsullivan Apr 15, 2021
d2e17a9
typo fix
tsullivan Apr 15, 2021
84e881b
Merge branch 'master' into reporting/feature-controls-support
tsullivan Apr 15, 2021
3110eb5
"PDF / PNG Reports" => "Reporting"
tsullivan Apr 15, 2021
0242a40
Update x-pack/plugins/reporting/server/config/index.ts
tsullivan Apr 15, 2021
4bf0d25
Update x-pack/test/functional/apps/security/secure_roles_perm.js
tsullivan Apr 15, 2021
3e4d71b
Merge branch 'master' into reporting/feature-controls-support
kibanamachine Apr 15, 2021
4cb82e3
update ids of report privileges
tsullivan Apr 15, 2021
c293f11
combine dashboard privileges into 1 group
tsullivan Apr 15, 2021
9505e17
update jest snapshot
tsullivan Apr 15, 2021
1343dca
Merge branch 'master' into reporting/feature-controls-support
tsullivan Apr 16, 2021
e25809c
fix tests
tsullivan Apr 16, 2021
7ae6eff
fix tests
tsullivan Apr 16, 2021
10b9424
Merge branch 'master' into reporting/feature-controls-support
kibanamachine Apr 17, 2021
2bc67aa
Merge branch 'master' into reporting/feature-controls-support
kibanamachine Apr 17, 2021
edd866b
Merge branch 'master' into reporting/feature-controls-support
tsullivan Apr 18, 2021
6a0575b
Merge branch 'master' into reporting/feature-controls-support
kibanamachine Apr 19, 2021
118f6db
updates from feedback
tsullivan Apr 19, 2021
93918be
Merge branch 'master' into reporting/feature-controls-support
tsullivan Apr 19, 2021
c8888e2
add note
tsullivan Apr 20, 2021
9a972fb
update screenshot
tsullivan Apr 20, 2021
0bf2761
fix grammer
tsullivan Apr 20, 2021
7b8acb1
Merge branch 'master' into reporting/feature-controls-support
tsullivan Apr 20, 2021
1c0328f
fix bad link breaks in doc
tsullivan Apr 20, 2021
22de10f
update doc heading
tsullivan Apr 20, 2021
fd47295
Apply suggestions documentation feedback
tsullivan Apr 20, 2021
34b72c5
Merge remote-tracking branch 'tsullivan/reporting/feature-controls-su…
tsullivan Apr 20, 2021
c6f912d
simplify
tsullivan Apr 20, 2021
26f59ba
use const assertions
tsullivan Apr 20, 2021
67fdf72
Apply text change suggestion from code review
tsullivan Apr 20, 2021
5d87201
Merge remote-tracking branch 'tsullivan/reporting/feature-controls-su…
tsullivan Apr 20, 2021
525305b
more test for oss_features and reporting subFeatures
tsullivan Apr 20, 2021
1a03dac
reduce loc diff
tsullivan Apr 20, 2021
eec188c
fix snapshot
tsullivan Apr 20, 2021
2e732f2
fix flakiness in licensing plugin public functional tests
tsullivan Apr 20, 2021
c5cc50e
Merge branch 'master' into reporting/feature-controls-support
kibanamachine Apr 20, 2021
4e90797
Merge branch 'master' into reporting/feature-controls-support
kibanamachine Apr 21, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion docs/settings/reporting-settings.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -275,8 +275,19 @@ For information about {kib} memory limits, see <<production, using {kib} in a pr
every {kib} instance that has a unique <<kibana-index, `kibana.index`>>
setting. Defaults to `.reporting`.

| `xpack.reporting.roles.enabled`
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
| deprecated:[7.13.0,This setting must be set to `false` in 8.0] Specifies whether to grant users
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
access to reporting features by assigning them a special role, specified by `xpack.reporting.roles.allow`.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
Granting access to users this way is deprecated: please set this to `false` and use
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
{kibana-ref}/kibana-privileges.html[{kib} privileges] instead.
Defaults to `true`. +

| `xpack.reporting.roles.allow`
| Specifies the roles in addition to superusers that can use reporting.
| deprecated:[7.13.0,This setting will be removed in 8.0] Specifies the roles
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
in addition to superusers that can generate reports, using the Elasticsearch
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
role management API. Requires `xpack.reporting.roles.enabled` to be `true`.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
Granting access to users this way is deprecated: please use
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
{kibana-ref}/kibana-privileges.html[{kib} privileges] instead.
Defaults to `[ "reporting_user" ]`. +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bad break on this line. Are the spaces before and after "reporting_user" needed?


|===
Expand Down
13 changes: 9 additions & 4 deletions docs/user/reporting/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,15 @@ for different operating systems.
[[reporting-required-privileges]]
== Roles and privileges

To generate a report, you must have the `reporting_user` role. You also need
the appropriate {kib} privileges to access the objects that you
want to report on and the {es} indices. See <<secure-reporting, Reporting and security>>
for an example.
When security is enabled, access to reporting features is controlled by security privileges. In versions 7.12 and below, you can do this
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
by assigning users the `reporting_user` role in Elasticsearch. In 7.13 and above, you can configure Reporting to use
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
<<kibana-privileges, {kib} privileges>> instead. It is recommended that Reporting is configured to
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
use Kibana privileges by setting `xpack.reporting.roles.enabled` to `false` in kibana.yml. By using Kibana privileges, you can define
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
custom roles that grant Reporting privileges as sub-features of Kibana applications in Role Management.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

Users also need the appropriate {kib} privileges to access the objects that you
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
want to report on and the {es} indices. See <<secure-reporting, Reporting and
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
security>> for an example.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

[float]
[[manually-generate-reports]]
Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
134 changes: 90 additions & 44 deletions docs/user/security/reporting.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,30 @@ For more information, see
////

[[reporting-app-users]]
To enable users to generate reports, you must assign them the built-in `reporting_user`
role. Users will also need the appropriate <<kibana-privileges, {kib} privileges>> to access the objects
to report on and the {es} indices.
Access to reporting features is limited to privileged users. In older versions of Kibana, you could only grant
users the privilege by assigning them the `reporting_user` role in Elasticsearch. In 7.13 and above, you have
the option to create your own roles that grant access to reporting features using <<kibana-privileges, {kib} privileges>> instead.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

It is recommended that you set `xpack.reporting.roles.enabled: false` in your kibana.yml to begin using Kibana
privileges. This will allow users to only see Reporting widgets in applications when they have privilege to use
them.

[NOTE]
============================================================================
The default value of `xpack.reporting.roles.enabled` is `true` for 7.x versions of Kibana. To migrate users to the
new method of securing access to Reporting, you must explicitly set `xpack.reporting.roles.enabled: false` in
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
`kibana.yml`. In the next major version of Kibana, having this set to `false` will be the only valid configuration.
============================================================================

This document discusses how to create a role that grants access to reporting features using the new method of
Kibana application privileges.

[float]
[[reporting-roles-management-ui]]
=== If you are using the `native` realm
=== Creating the role in the `native` realm
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

To assign roles, use the *Roles* UI or <<reporting-roles-user-api, user API>>.
This example shows how to use *Roles* page to create a user who has a custom role and the
`reporting_user` role.
To create roles, use the *Roles* UI or <<reporting-roles-user-api, user API>>. This example shows how to use
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
*Roles* page to create a role that grants reporting feature privileges in Kibana applications.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

. Open the main menu, then click *Stack Management > Roles*.

Expand All @@ -42,57 +55,61 @@ For more information, see {ref}/security-privileges.html[Security privileges].
[role="screenshot"]
image::user/security/images/reporting-privileges-example.png["Reporting privileges"]

. Add space privileges.
. Add space privileges that include permission to use Reporting for the necessary Kibana applications.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
+
To allow users to CSV create reports in Discover, or PDF reports in Canvas,
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
Visualize editor and Dashboard, click the "Add Kibana privilege" button expand
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
the menu for each application, and grant the role the privileges to generate
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
reports by choosing "All" privileges for all features, or "Customize" to grant
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
the role the privilege to generate reports for only certain applications.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
+
Reporting users typically save searches, create
visualizations, and build dashboards. They require a space
that provides read and write privileges in
*Discover* and *Dashboard*.
[role="screenshot"]
image::user/security/images/reporting-custom-role.png["Reporting custom role"]

. Save your new role.

. Open the main menu, then click *Stack Management > Users*, add a new user, and assign the user the built-in
`reporting_user` role and your new custom role, `custom_reporting_user`.

[float]
==== With a custom index

If you are using Reporting with a custom index,
the `xpack.reporting.index` setting should begin
with `.reporting-*`. The default {kib} system user has
`all` privileges against the `.reporting-*` pattern of indices.

[source,js]
xpack.reporting.index: '.reporting-custom-index'

If you use a different pattern for the `xpack.reporting.index` setting,
you must create a custom role with appropriate access to the index, similar
to the following:

. Open the main menu, then click *Stack Management > Roles*.
. Click *Create role*, then name the role `custom-reporting-user`.
. Specify the custom index and assign it the `all` index privilege.
. Open the main menu, then click *Stack Management > Users* and create a new user with
the `kibana_system` role and the `custom-reporting-user` role.
. Configure {kib} to use the new account:
[source,js]
elasticsearch.username: 'custom_kibana_system'
. Open the main menu, then click *Stack Management > Users*, add a new user, and assign the user
your new custom role, `custom_reporting_user`.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

[float]
[[reporting-roles-user-api]]
==== With the user API
This example uses the {ref}/security-api-put-user.html[user API] to create a user who has the
`reporting_user` role and the `kibana_admin` role:
This example uses the {ref}/security-api-put-role.html[role API] to create a role that
grants the privilege to generate reports in Canvas, Discover, Visualize Editor, and Dashboard.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
This role is meant to be granted to users in combination with other roles that grant access
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
read to the necessary data in Elasticsearch, and at least "read" access in the applications
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
where they'll generate reports.

[source, sh]
---------------------------------------------------------------
POST /_security/user/reporter
POST /_security/role/custom_reporting_user
{
"password" : "x-pack-test-password",
"roles" : ["kibana_admin", "reporting_user"],
"full_name" : "Reporting User"
metadata: {},
elasticsearch: { cluster: [], indices: [], run_as: [] },
kibana: [
{
base: [],
feature: {
dashboard: [
'generate_screenshot_report', <1>
'download_csv_dashboard_panel' <2>
],
discover: ['generate_csv_report'], <3>
canvas: ['generate_screenshot_report'], <4>
visualize: ['generate_screenshot_report'], <5>
},
spaces: ['*'],
}
]
}
---------------------------------------------------------------
// CONSOLE

<1> Grants access to generate PNG and PDF reports in the Dashboard application
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
<2> Grants access to download CSV files from saved search panels in the Dashboard application
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
<3> Grants access to generate CSV reports from saved searches in Discover
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
<4> Grants access to generate PDF reports in Canvas
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
<5> Grants access to generate PNG and PDF reports in the Visualize editor
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

[float]
=== If you are using an external identity provider
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change this title as you changed the previous title that started with "If you are using..." Would "With an external provider" work?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about "When using an external provider"?

This is a higher-level heading than the title that you mentioned.

Expand All @@ -113,6 +130,35 @@ reporting_user:
- "cn=Bill Murray,dc=example,dc=com"
--------------------------------------------------------------------------------

[float]
=== With a custom index

If you are using Reporting with a custom index,
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
the `xpack.reporting.index` setting should begin
with `.reporting-*`. The default {kib} system user has
`all` privileges against the `.reporting-*` pattern of indices.

[source,js]
xpack.reporting.index: '.reporting-custom-index'

If you use a different pattern for the `xpack.reporting.index` setting,
you must create a custom `kibana_system` user with appropriate access to the index, similar
to the following:

. Open the main menu, then click *Stack Management > Roles*.
. Click *Create role*, then name the role `custom-reporting-user`.
. Specify the custom index and assign it the `all` index privilege.
. Open the main menu, then click *Stack Management > Users* and create a new user with
the `kibana_system` role and the `custom-reporting-user` role.
. Configure {kib} to use the new account:
[source,js]
elasticsearch.username: 'custom_kibana_system'

[NOTE]
============================================================================
Setting a custom index for Reporting will be unsupported in the next major version of Kibana.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
============================================================================

[role="xpack"]
[[securing-reporting]]
=== Secure the reporting endpoints
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,7 @@ kibana_vars=(
xpack.reporting.queue.pollIntervalErrorMultiplier
xpack.reporting.queue.timeout
xpack.reporting.roles.allow
xpack.reporting.roles.enabled
xpack.rollup.enabled
xpack.searchprofiler.enabled
xpack.security.audit.enabled
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/canvas/kibana.json
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
],
"optionalPlugins": [
"home",
"reporting",
"usageCollection"
],
"requiredBundles": [
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import { ShareMenu } from '../share_menu.component';

storiesOf('components/WorkpadHeader/ShareMenu', module).add('default', () => (
<ShareMenu
includeReporting={true}
onCopy={action('onCopy')}
onExport={action('onExport')}
getExportUrl={(type: string) => {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ export type OnCloseFn = (type: CloseTypes) => void;
export type GetExportUrlFn = (type: ExportUrlTypes, layout: LayoutType) => string;

export interface Props {
/** Flag to include the Reporting option only if Reporting is enabled */
includeReporting: boolean;
/** Handler to invoke when an export URL is copied to the clipboard. */
onCopy: OnCopyFn;
/** Handler to invoke when an end product is exported. */
Expand All @@ -39,7 +41,12 @@ export interface Props {
/**
* The Menu for Exporting a Workpad from Canvas.
*/
export const ShareMenu: FunctionComponent<Props> = ({ onCopy, onExport, getExportUrl }) => {
export const ShareMenu: FunctionComponent<Props> = ({
includeReporting,
onCopy,
onExport,
getExportUrl,
}) => {
const [showFlyout, setShowFlyout] = useState(false);

const onClose = () => {
Expand Down Expand Up @@ -73,16 +80,18 @@ export const ShareMenu: FunctionComponent<Props> = ({ onCopy, onExport, getExpor
closePopover();
},
},
{
name: strings.getShareDownloadPDFTitle(),
icon: 'document',
panel: {
id: 1,
title: strings.getShareDownloadPDFTitle(),
content: getPDFPanel(closePopover),
},
'data-test-subj': 'sharePanel-PDFReports',
},
includeReporting
? {
name: strings.getShareDownloadPDFTitle(),
icon: 'document',
panel: {
id: 1,
title: strings.getShareDownloadPDFTitle(),
content: getPDFPanel(closePopover),
},
'data-test-subj': 'sharePanel-PDFReports',
}
: false,
Comment on lines +83 to +94
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: ...(includeReporting ? [{}] : []) would avoid the boolean filtering at the end.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That will leave a visible gap for a user that does not have the privilege:
image

Copy link
Contributor

@pgayvallet pgayvallet Apr 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant ...(includeReporting ? [{LINK}] : []), {LINK} being the object you're currently adding.

{
name: strings.getShareWebsiteTitle(),
icon: <EuiIcon type="globe" size="m" />,
Expand All @@ -91,7 +100,7 @@ export const ShareMenu: FunctionComponent<Props> = ({ onCopy, onExport, getExpor
closePopover();
},
},
],
].filter(Boolean),
});

const shareControl = (togglePopover: React.MouseEventHandler<any>) => (
Expand Down Expand Up @@ -123,6 +132,7 @@ export const ShareMenu: FunctionComponent<Props> = ({ onCopy, onExport, getExpor
};

ShareMenu.propTypes = {
includeReporting: PropTypes.bool.isRequired,
onCopy: PropTypes.func.isRequired,
onExport: PropTypes.func.isRequired,
getExportUrl: PropTypes.func.isRequired,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ export const ShareMenu = compose<ComponentProps, {}>(
withServices,
withProps(
({ workpad, pageCount, services }: Props & WithServicesProps): ComponentProps => ({
includeReporting: services.reporting.includeReporting(),
getExportUrl: (type, layout) => {
if (type === 'pdf') {
const pdfUrl = getPdfUrl(
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/canvas/public/plugin.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

import { BehaviorSubject } from 'rxjs';
import { ChartsPluginSetup, ChartsPluginStart } from 'src/plugins/charts/public';
import { ReportingStart } from '../../reporting/public';
import {
CoreSetup,
CoreStart,
Expand Down Expand Up @@ -49,6 +50,7 @@ export interface CanvasSetupDeps {
export interface CanvasStartDeps {
embeddable: EmbeddableStart;
expressions: ExpressionsStart;
reporting?: ReportingStart;
inspector: InspectorStart;
uiActions: UiActionsStart;
charts: ChartsPluginStart;
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/canvas/public/services/context.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ export const ServicesProvider: FC<{
notify: specifiedProviders.notify.getService(),
platform: specifiedProviders.platform.getService(),
navLink: specifiedProviders.navLink.getService(),
reporting: specifiedProviders.reporting.getService(),
labs: specifiedProviders.labs.getService(),
};
return <context.Provider value={value}>{children}</context.Provider>;
Expand Down
4 changes: 4 additions & 0 deletions x-pack/plugins/canvas/public/services/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import { navLinkServiceFactory } from './nav_link';
import { embeddablesServiceFactory } from './embeddables';
import { expressionsServiceFactory } from './expressions';
import { labsServiceFactory } from './labs';
import { reportingServiceFactory } from './reporting';

export { NotifyService } from './notify';
export { PlatformService } from './platform';
Expand Down Expand Up @@ -79,6 +80,7 @@ export const services = {
notify: new CanvasServiceProvider(notifyServiceFactory),
platform: new CanvasServiceProvider(platformServiceFactory),
navLink: new CanvasServiceProvider(navLinkServiceFactory),
reporting: new CanvasServiceProvider(reportingServiceFactory),
labs: new CanvasServiceProvider(labsServiceFactory),
};

Expand All @@ -90,6 +92,7 @@ export interface CanvasServices {
notify: ServiceFromProvider<typeof services.notify>;
platform: ServiceFromProvider<typeof services.platform>;
navLink: ServiceFromProvider<typeof services.navLink>;
reporting: ServiceFromProvider<typeof services.reporting>;
labs: ServiceFromProvider<typeof services.labs>;
}

Expand Down Expand Up @@ -117,4 +120,5 @@ export const {
platform: platformService,
navLink: navLinkService,
expressions: expressionsService,
reporting: reportingService,
} = services;
Loading