Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Change reporting_user role to leverage reserved kibana privileges (#132766)

* Change reporting_user role to leverage reserved kibana privileges

* [CI] Auto commit changes from spotless

* Mark reporting_user role as deprecated

* Update docs/changelog/132766.yaml

* Update release notes

---------

Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
Larry Gregory 2 months ago
parent
e876dc0166
commit
f62721057e
3 changed files with 16 additions and 25 deletions
Split View Show Diff Stats
  1. 10 0
      docs/changelog/132766.yaml
  2. 4 14
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
  3. 2 11
      x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

+ 10 - 0
docs/changelog/132766.yaml
View File 

@@ -0,0 +1,10 @@
 
+pr: 132766
 
+summary: Change `reporting_user` role to leverage reserved kibana privileges
 
+area: Authorization
 
+type: deprecation
 
+issues: []
 
+deprecation:
 
+  title: Deprecate the built-in `reporting_user` role.
 
+  area: Authorization
 
+  details: The `reporting_user` role is deprecated. Administrators should manage access to Kibana's reporting features via custom roles which grant the necessary privileges.
 
+  impact: This role will be removed in a future version. Administrators should migrate to custom roles to avoid interruption.

+ 4 - 14
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
View File 

@@ -328,23 +328,13 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
 
                     null,
 
                     new RoleDescriptor.ApplicationResourcePrivileges[] {
 
                         RoleDescriptor.ApplicationResourcePrivileges.builder()
 
-                            .application("kibana-.kibana")
 
+                            .application("kibana-*")
 
                             .resources("*")
 
-                            .privileges(
 
-                                "feature_discover.minimal_read",
 
-                                "feature_discover.generate_report",
 
-                                "feature_dashboard.minimal_read",
 
-                                "feature_dashboard.generate_report",
 
-                                "feature_dashboard.download_csv_report",
 
-                                "feature_canvas.minimal_read",
 
-                                "feature_canvas.generate_report",
 
-                                "feature_visualize.minimal_read",
 
-                                "feature_visualize.generate_report"
 
-                            )
 
+                            .privileges("reserved_reporting_user")
 
                             .build() },
 
                     null,
 
                     null,
 
-                    MetadataUtils.DEFAULT_RESERVED_METADATA,
 
+                    MetadataUtils.getDeprecatedReservedMetadata("Please grant access via Kibana privileges instead."),
 
                     null,
 
                     null,
 
                     null,
 
@@ -353,7 +343,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
 
                         + "including generating and downloading reports. "
 
                         + "This role implicitly grants access to all Kibana reporting features, "
 
                         + "with each user having access only to their own reports. Note that reporting users should also be assigned "
 
-                        + "additional roles that grant read access to the indices that will be used to generate reports."
 
+                        + "additional roles that grant read access to Kibana, and the indices that will be used to generate reports."
 
                 )
 
             ),
 
             entry(KibanaSystemUser.ROLE_NAME, kibanaSystemRoleDescriptor(KibanaSystemUser.ROLE_NAME)),

+ 2 - 11
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
View File 

@@ -2769,20 +2769,11 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         RoleDescriptor roleDescriptor = ReservedRolesStore.roleDescriptor("reporting_user");
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
+        assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true));
 
 
         final String applicationName = "kibana-.kibana";
 
 
-        final Set<String> applicationPrivilegeNames = Set.of(
 
-            "feature_discover.minimal_read",
 
-            "feature_discover.generate_report",
 
-            "feature_dashboard.minimal_read",
 
-            "feature_dashboard.generate_report",
 
-            "feature_dashboard.download_csv_report",
 
-            "feature_canvas.minimal_read",
 
-            "feature_canvas.generate_report",
 
-            "feature_visualize.minimal_read",
 
-            "feature_visualize.generate_report"
 
-        );
 
+        final Set<String> applicationPrivilegeNames = Set.of("reserved_reporting_user");
 
 
         final Set<String> allowedApplicationActionPatterns = Set.of(
 
             "login:",