Prevent cloud users from updating their user profile#132622
Prevent cloud users from updating their user profile#132622azasypkin merged 4 commits intoelastic:feature/user-profilefrom
Conversation
azasypkin
added
blocked
Team:Security
azasypkin
force-pushed
the
issue-129238-prevent-cloud-users
branch
from
9b2b3ea to
5b3fe2a
Compare
azasypkin
force-pushed
the
issue-129238-prevent-cloud-users
branch
from
5b3fe2a to
d7009c2
Compare
|
Pinging @elastic/kibana-security (Team:Security) |
| if (isCloudEnabled) { | ||
| security?.setIsElasticCloudDeployment(); | ||
| } |
There was a problem hiding this comment.
NIT/optional: Shame on us, we don't yet have a test file for x-pack/plugins/cloud/server/plugin.ts, but it would make sense to add one to test this call/behavior
There was a problem hiding this comment.
That's a good point, I'll add one.
thomheymann
left a comment
thomheymann
left a comment
There was a problem hiding this comment.
LGTM.
I've not been able to test cloud deployment detection logic. Tested locally by mocking elastic_cloud_user response since I've not been able to run Kibana as a cloud user.
Let me see if we can leverage |
@azasypkin AFAIK, even while it's deployed to Cloud, the user login that we get to test is an ES-authenticated user. We cannot use "Log in with Elastic Cloud" in those deployments. So, essentially, we cannot test it :/ |
|
@afharo Thanks for confirming this is currently not possible. Who would be the best team to raise this issue with? Cloud is an important driver for us and it's not really acceptable to merge features in without being able to test them. |
|
I assume @elastic/kibana-operations might be able to change the way we deploy clusters from PRs to allow us access? Also, I'm aware of an effort to allow us to write tests that will use Cloud-authenticated users (also owned by operations) :) |
|
@jbudz, do you know if there are any plans or possible methods available to us to enable testing using cloud SSO auth for cloud instances based on PRs? |
|
We don't have any upstream tooling yet to support automating endpoint setup. There's a manual option that we could go through for testing if we want here. |
@jbudz Amazing, yeh, even manual would be fine for now. I just want to verify the logic works as expected. |
|
@jbudz kindly helped me to test the PR using the Kibana Cloud CI account and I confirmed that we correctly determine ESS managed users and don't allow updating their profiles. The only thing we need to handle is to not render avatar editor for such users since they cannot save changes anyway (added as a point to #132645). I'll merge PR as soon as CI is happy (ignoring irrelevant failed "Build and Deploy to Cloud" task). |
💔 Build FailedFailed CI StepsMetrics [docs]
History
To update your PR or re-run it, just comment with: |
tylersmalley
added
ci:cloud-deploy
9 participants
Summary
Prevent cloud users from updating their user profile.
This PR is currently based on the not-merged-yet #127624.
Fixes: #129238