[Telemetry] Check permissions when requesting telemetry#126238
[Telemetry] Check permissions when requesting telemetry#126238afharo merged 27 commits intoelastic:mainfrom
Conversation
| const esClient = this.getElasticsearchClient(config); | ||
| const soClient = this.getSavedObjectsClient(config); | ||
| // Provide the kibanaRequest so opted-in plugins can scope their custom clients only if the request is not encrypted | ||
| const kibanaRequest = config.unencrypted ? config.request : void 0; |
There was a problem hiding this comment.
This is the main reason for allowing admin only to retrieve the sampled data. There's no longer a need to scope the requests. It may also help us with #84183 because kibanaRequest won't be needed in the context anymore.
| return config.unencrypted | ||
| ? this.elasticsearchClient?.asScoped(config.request).asCurrentUser | ||
| : this.elasticsearchClient?.asInternalUser; | ||
| return this.elasticsearchClient?.asInternalUser; |
There was a problem hiding this comment.
We can now rely on the internal user only 🎉
| constructor( | ||
| log: Logger, | ||
| // Needed because it doesn't affect on anything here but being explicit creates a lot of pain down the line | ||
| // eslint-disable-next-line @typescript-eslint/no-explicit-any |
| import { loggingSystemMock } from 'src/core/server/mocks'; | ||
| import { | ||
| Collector, | ||
| createCollectorFetchContextWithKibanaMock, |
There was a problem hiding this comment.
I looked at the collector and they don't require the KibanaRequest mock.
afharo
added
backport:skip
afharo
changed the title
security dependency
| { "path": "../navigation/tsconfig.json" }, | ||
| { "path": "../saved_objects_tagging_oss/tsconfig.json" }, | ||
| { "path": "../saved_objects/tsconfig.json" }, | ||
| { "path": "../screenshot_mode/tsconfig.json" }, |
There was a problem hiding this comment.
Not sure why it failed in this PR. But dashboard is importing types from screenshot_mode and it was missing this line.
@elastic/kibana-operations probably a bug in the type_check script that didn't catch it earlier in main?
There was a problem hiding this comment.
We're not totally sure how TypeScript validates that projects have the references they need, it seems to validate it most of the time but there are edge cases where you can import from another project even when it's not listed in the projects deps. We are on the cusp of moving away from relative plugin imports to imported based on global module IDs for packages which will make this a non-problem.
There was a problem hiding this comment.
This is a strange situation, but I'm glad we'll be moving away from it in the future. Thanks for adding the project to our tsconfig though!
| }; | ||
|
|
||
| private redirecToAddData() { | ||
| private redirectToAddData() { |
There was a problem hiding this comment.
Just fixing a typo here 😇
| const { hasAllRequested } = await security.authz | ||
| .checkPrivilegesWithRequest(req) | ||
| .globally({ kibana: 'decryptedTelemetry' }); |
There was a problem hiding this comment.
You need to check the serialized privilege string here. I'd suggest adding a comment to clarify this design decision for future maintainers, too 😄
| const { hasAllRequested } = await security.authz | |
| .checkPrivilegesWithRequest(req) | |
| .globally({ kibana: 'decryptedTelemetry' }); | |
| // Normally we would use `options: { tags: ['access:decryptedTelemetry'] }` in the route definition to check authorization for an | |
| // API action, however, we want to check this conditionally based on the `unencrypted` parameter. In this case we need to use the | |
| // security API directly to check privileges for this action. Note that the 'decryptedTelemetry' API privilege string is only | |
| // granted to users that have "Global All" or "Global Read" privileges in Kibana. | |
| const { checkPrivilegesWithRequest, actions } = security.authz; | |
| const privileges = { kibana: actions.api.get('decryptedTelemetry') }; | |
| const { hasAllRequested } = await checkPrivilegesWithRequest(req).globally(privileges); |
There was a problem hiding this comment.
It works! Thank you! Is there any documentation I could have gone to earlier so I wouldn't bother you with this wrong usage?
There was a problem hiding this comment.
You're welcome!
Here's where we have an example of securing an HTTP route with an API privilege string via an access: tag: https://www.elastic.co/guide/en/kibana/current/development-security.html#example-2-dev-tools
Unfortunately you couldn't use an access: tag here.
AFAIK we don't really have any dev docs or TS docs that explain how to use the Security plugin's API to check privileges directly. The only TS docs I could find is this snippet:
That's not too helpful 😅
I added an issue for us to add docs for the authorization service: #126355
|
@elasticmachine merge upstream |
ThomThomson
left a comment
ThomThomson
left a comment
There was a problem hiding this comment.
Presentation team changes LGTM
| { "path": "../navigation/tsconfig.json" }, | ||
| { "path": "../saved_objects_tagging_oss/tsconfig.json" }, | ||
| { "path": "../saved_objects/tsconfig.json" }, | ||
| { "path": "../screenshot_mode/tsconfig.json" }, |
There was a problem hiding this comment.
This is a strange situation, but I'm glad we'll be moving away from it in the future. Thanks for adding the project to our tsconfig though!
pgayvallet
left a comment
pgayvallet
left a comment
There was a problem hiding this comment.
Some nits and comments, but overall LGTM
src/plugins/home/public/application/components/welcome.test.tsx
Outdated
Show resolved
Hide resolved
src/plugins/home/public/services/welcome/welcome_service.test.ts
Outdated
Show resolved
Hide resolved
src/plugins/telemetry/server/routes/telemetry_usage_stats.test.ts
Outdated
Show resolved
Hide resolved
|
@elasticmachine merge upstream |
flash1293
left a comment
flash1293
left a comment
There was a problem hiding this comment.
VisEditors changes LGTM, code review only
💚 Build SucceededMetrics [docs]Module Count
Public APIs missing comments
Async chunks
Public APIs missing exports
Page load bundle
Unknown metric groupsAPI count
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
miltonhultgren
left a comment
miltonhultgren
left a comment
There was a problem hiding this comment.
Infra changes LGTM 👍🏼
…ed-unexpectedly-error * 'main' of github.com:elastic/kibana: (46 commits) Fix copy and pasted renderer user_name test (elastic#126663) [Gauge] Vis editors gauge legacy percent mode. (elastic#126318) Remove all cases related code from timelines (elastic#127003) Hide Enterprise search panel when no nodes are present (elastic#127100) [Lens] Fixed flakiness on runtime fields' appearance on the list (elastic#126945) [Security Solution][Lists] - Add missing privileges callout to exception lists page (elastic#126874) [Security Solution][Lists] - Updates exception flyout edit error messages (elastic#126875) [Security Solution][Rules] - Remove rule selection for read only users (elastic#126827) Fix session cleanup test (elastic#126966) [ftr] implement support for accessing ES through CCS (elastic#126547) [type-summarizer] always use normalized paths, fix windows compat (elastic#127055) Revert "[ci] Configure hourly pipeline for a small spot instance trial (elastic#126824)" Revert "[CI] Expand spot instance trial a bit (elastic#126928)" [Alerting] Adding functional tests for alerting and actions telemetry (elastic#126528) [Telemetry] Check permissions when requesting telemetry (elastic#126238) Don't submit empty seed_urls or sitemap_urls when making a partial crawl request (elastic#126972) Remove License Requirement for Enterprise Search App Search Meta Engines (elastic#127046) [ML] Adding data recognizer module config cache (elastic#126338) skip flaky suite (elastic#126027) [Reporting] Improve error logging for rescheduled jobs (elastic#126737) ... # Conflicts: # x-pack/plugins/reporting/server/core.ts # x-pack/plugins/reporting/server/lib/tasks/execute_report.ts
…re-browser-errors * 'main' of github.com:elastic/kibana: (46 commits) Fix copy and pasted renderer user_name test (elastic#126663) [Gauge] Vis editors gauge legacy percent mode. (elastic#126318) Remove all cases related code from timelines (elastic#127003) Hide Enterprise search panel when no nodes are present (elastic#127100) [Lens] Fixed flakiness on runtime fields' appearance on the list (elastic#126945) [Security Solution][Lists] - Add missing privileges callout to exception lists page (elastic#126874) [Security Solution][Lists] - Updates exception flyout edit error messages (elastic#126875) [Security Solution][Rules] - Remove rule selection for read only users (elastic#126827) Fix session cleanup test (elastic#126966) [ftr] implement support for accessing ES through CCS (elastic#126547) [type-summarizer] always use normalized paths, fix windows compat (elastic#127055) Revert "[ci] Configure hourly pipeline for a small spot instance trial (elastic#126824)" Revert "[CI] Expand spot instance trial a bit (elastic#126928)" [Alerting] Adding functional tests for alerting and actions telemetry (elastic#126528) [Telemetry] Check permissions when requesting telemetry (elastic#126238) Don't submit empty seed_urls or sitemap_urls when making a partial crawl request (elastic#126972) Remove License Requirement for Enterprise Search App Search Meta Engines (elastic#127046) [ML] Adding data recognizer module config cache (elastic#126338) skip flaky suite (elastic#126027) [Reporting] Improve error logging for rescheduled jobs (elastic#126737) ... # Conflicts: # x-pack/plugins/reporting/server/lib/tasks/execute_report.ts
tylersmalley
added
ci:cloud-deploy
11 participants
Summary
POST /api/telemetry/v2/clusters/_statsnow checks that the user has the permissionsdecryptedTelemetryadded in #96571 to only allow admins to retrieve telemetry. It returns 403 otherwise.Adding
securityas a dependency totelemetrycreated a circular dependency becausehomerelies ontelemetryto set decide on whether to show the telemetry notice. I moved that logic to the telemetry plugin and registered the "renderer" via a new API exposed by the home plugin.Resolves #96538.
Side wins
As we no longer need to scope the requests, I removed the
kibanaRequestfrom thefetchcontext. Simplifying a lot the types in theusageCollectionplugin.Resolves #84183.
How to test
Locally
Create a user with a role that has read-only access to all spaces. Then, log in with that user and head to Advanced Settings > Usage Data (at the bottom), and attempt to retrieve the telemetry sample. You'll see it gets a 403.
Cloud
Using the auto-deployed Kibana 🧡
Since Cloud hides the section Advanced Settings > Usage Data, we need to
curlthe deployment to test this feature:200403200Checklist
Delete any items that are not applicable to this PR.
For maintainers