[ML] Retain built-in ML roles granting Kibana privileges (#80014) (#80019)

David Roberts · web-flow · commit b770435fb1b6 · 2021-10-28T10:28:25.000-04:00
The machine_learning_admin and machine_learning_user roles
in Elasticsearch also grant access to the ML pages in Kibana.

At one time it was intended that this should change in 8.0,
so that ML privileges in Kibana would be completely separate.

However, our thinking has now changed. An administrator cannot
give a user the Elasticsearch backend roles and expect Kibana
privileges alone to then stop that user from using ML - the
user could just switch to curl or even Kibana dev console (which
uses backend privileges rather than Kibana privileges). So it's
clearer what is really being permitted if the backend roles
continue to allow access to the ML UI as well as the ML backend
endpoints. There's nothing the user can see in the ML UI that
they couldn't find out by calling ML Elasticsearch endpoints
directly and rendering the responses in a more graphical way.
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -301,7 +301,13 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                             .indices(".ml-annotations*")
                             .privileges("view_index_metadata", "read", "write")
                             .build() },
-                    // TODO: remove Kibana privileges from ML backend roles in 8.0.0
+                    // This role also grants Kibana privileges related to ML.
+                    // This makes it completely clear to UI administrators that
+                    // if they grant the Elasticsearch backend role to a user then
+                    // they cannot expect Kibana privileges to stop that user from
+                    // accessing ML functionality - the user could switch to curl
+                    // or even Kibana dev console and call the ES endpoints directly
+                    // bypassing the Kibana privileges layer entirely.
                     new RoleDescriptor.ApplicationResourcePrivileges[] {
                         RoleDescriptor.ApplicationResourcePrivileges.builder()
                             .application("kibana-*")
@@ -328,7 +334,13 @@ private static Map<String, RoleDescriptor> initializeReservedRoles() {
                             .indices(".ml-annotations*")
                             .privileges("view_index_metadata", "read", "write")
                             .build() },
-                    // TODO: remove Kibana privileges from ML backend roles in 8.0.0
+                    // This role also grants Kibana privileges related to ML.
+                    // This makes it completely clear to UI administrators that
+                    // if they grant the Elasticsearch backend role to a user then
+                    // they cannot expect Kibana privileges to stop that user from
+                    // accessing ML functionality - the user could switch to curl
+                    // or even Kibana dev console and call the ES endpoints directly
+                    // bypassing the Kibana privileges layer entirely.
                     new RoleDescriptor.ApplicationResourcePrivileges[] {
                         RoleDescriptor.ApplicationResourcePrivileges.builder()
                             .application("kibana-*")
