elastic · kobelb · Jun 29, 2018 · Jun 26, 2018 · Jun 27, 2018 · Jun 27, 2018
diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
@@ -121,23 +121,21 @@ export const security = (kibana) => new kibana.Plugin({
       request,
     }) => {
       const adminCluster = server.plugins.elasticsearch.getCluster('admin');
+      const { callWithRequest, callWithInternalUser } = adminCluster;
+      const callCluster = (...args) => callWithRequest(request, ...args);
 
-      if (!xpackInfoFeature.getLicenseCheckResults().allowRbac) {
-        const { callWithRequest } = adminCluster;
-        const callCluster = (...args) => callWithRequest(request, ...args);
-
-        const repository = savedObjects.getSavedObjectsRepository(callCluster);
+      const callWithRequestRepository = savedObjects.getSavedObjectsRepository(callCluster);
 
-        return new savedObjects.SavedObjectsClient(repository);
+      if (!xpackInfoFeature.getLicenseCheckResults().allowRbac) {
+        return new savedObjects.SavedObjectsClient(callWithRequestRepository);
       }
 
       const hasPrivileges = hasPrivilegesWithRequest(request);
-      const { callWithInternalUser } = adminCluster;
-
-      const repository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
+      const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
 
       return new SecureSavedObjectsClient({
-        repository,
+        internalRepository,
+        callWithRequestRepository,
         errors: savedObjects.SavedObjectsClient.errors,
         hasPrivileges,
         auditLogger,

diff --git a/x-pack/plugins/security/server/lib/authorization/has_privileges.js b/x-pack/plugins/security/server/lib/authorization/has_privileges.js
@@ -6,96 +6,12 @@
 
 import { getClient } from '../../../../../server/lib/get_client_shield';
 import { DEFAULT_RESOURCE } from '../../../common/constants';
-import { buildPrivilegeMap, getVersionPrivilege, getLoginPrivilege } from '../privileges';
-
-const hasApplicationPrivileges = async (callWithRequest, request, kibanaVersion, application, privileges) => {
-  const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
-    body: {
-      applications: [{
-        application,
-        resources: [DEFAULT_RESOURCE],
-        privileges
-      }]
-    }
-  });
-
-  const hasPrivileges = privilegeCheck.application[application][DEFAULT_RESOURCE];
-
-  // We include the login action in all privileges, so the existence of it and not the version privilege
-  // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't
-  // know whether the user just wasn't authorized for this instance of Kibana in general
-  if (!hasPrivileges[getVersionPrivilege(kibanaVersion)] && hasPrivileges[getLoginPrivilege()]) {
-    throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
-  }
-
-  return {
-    username: privilegeCheck.username,
-    hasAllRequested: privilegeCheck.has_all_requested,
-    privileges: hasPrivileges
-  };
-};
-
-const hasLegacyPrivileges = async (
-  savedObjectTypes,
-  deprecationLogger,
-  callWithRequest,
-  request,
-  kibanaVersion,
-  application,
-  kibanaIndex,
-  privileges
-) => {
-  const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
-    body: {
-      index: [{
-        names: [kibanaIndex],
-        privileges: ['read', 'index']
-      }]
-    }
-  });
-
-  const createPrivileges = (cb) => {
-    return privileges.reduce((acc, name) => {
-      acc[name] = cb(name);
-      return acc;
-    }, {});
-  };
+import { getVersionPrivilege, getLoginPrivilege } from '../privileges';
 
-  const logDeprecation = () => {
-    deprecationLogger(
-      `Relying on implicit privileges determined from the index privileges is deprecated and will be removed in Kibana 7.0`
-    );
-  };
-
-  // if they have the index privilege, then we grant them all actions
-  if (privilegeCheck.index[kibanaIndex].index) {
-    logDeprecation();
-    const implicitPrivileges = createPrivileges(() => true);
-    return {
-      username: privilegeCheck.username,
-      hasAllRequested: true,
-      privileges: implicitPrivileges
-    };
-  }
-
-  // if they have the read privilege, then we only grant them the read actions
-  if (privilegeCheck.index[kibanaIndex].read) {
-    logDeprecation();
-    const privilegeMap = buildPrivilegeMap(savedObjectTypes, application, kibanaVersion);
-    const implicitPrivileges = createPrivileges(name => privilegeMap.read.actions.includes(name));
-
-    return {
-      username: privilegeCheck.username,
-      hasAllRequested: Object.values(implicitPrivileges).every(x => x),
-      privileges: implicitPrivileges,
-    };
-  }
-
-  return {
-    username: privilegeCheck.username,
-    hasAllRequested: false,
-    privileges: createPrivileges(() => false)
-  };
+export const HAS_PRIVILEGES_RESULT = {
+  UNAUTHORIZED: Symbol(),
+  AUTHORIZED: Symbol(),
+  LEGACY: Symbol(),
 };
 
 export function hasPrivilegesWithServer(server) {
@@ -105,45 +21,86 @@ export function hasPrivilegesWithServer(server) {
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
   const kibanaIndex = config.get('kibana.index');
-  const savedObjectTypes = server.savedObjects.types;
-  const deprecationLogger = (msg) => server.log(['warning', 'deprecated', 'security'], msg);
+
+  const loginPrivilege = getLoginPrivilege();
+  const versionPrivilege = getVersionPrivilege(kibanaVersion);
 
   return function hasPrivilegesWithRequest(request) {
-    return async function hasPrivileges(privileges) {
-      const loginPrivilege = getLoginPrivilege();
-      const versionPrivilege = getVersionPrivilege(kibanaVersion);
 
+    const hasApplicationPrivileges = async (privileges) => {
+      const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
+        body: {
+          applications: [{
+            application,
+            resources: [DEFAULT_RESOURCE],
+            privileges
+          }]
+        }
+      });
+
+      const hasPrivileges = privilegeCheck.application[application][DEFAULT_RESOURCE];
+
+      // We include the login action in all privileges, so the existence of it and not the version privilege
+      // lets us know that we're running in an incorrect configuration. Without the login privilege check, we wouldn't
+      // know whether the user just wasn't authorized for this instance of Kibana in general
+      if (!hasPrivileges[getVersionPrivilege(kibanaVersion)] && hasPrivileges[getLoginPrivilege()]) {
+        throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
+      }
+
+      return {
+        username: privilegeCheck.username,
+        hasAllRequested: privilegeCheck.has_all_requested,
+        privileges: hasPrivileges
+      };
+    };
+
+    const hasPrivilegesOnKibanaIndex = async () => {
+      const privilegeCheck = await callWithRequest(request, 'shield.hasPrivileges', {
+        body: {
+          index: [{
+            names: [kibanaIndex],
+            privileges: ['create', 'delete', 'read', 'view_index_metadata']
+          }]
+        }
+      });
+
+      return Object.values(privilegeCheck.index[kibanaIndex]).includes(true);
+    };
+
+    return async function hasPrivileges(privileges) {
       const allPrivileges = [versionPrivilege, loginPrivilege, ...privileges];
-      let privilegesCheck = await hasApplicationPrivileges(
-        callWithRequest,
-        request,
-        kibanaVersion,
-        application,
-        allPrivileges
-      );
-
-      if (!privilegesCheck.privileges[loginPrivilege]) {
-        privilegesCheck = await hasLegacyPrivileges(
-          savedObjectTypes,
-          deprecationLogger,
-          callWithRequest,
-          request,
-          kibanaVersion,
-          application,
-          kibanaIndex,
-          allPrivileges
-        );
+      const privilegesCheck = await hasApplicationPrivileges(allPrivileges);
+
+      const username = privilegesCheck.username;
+
+      // We don't want to expose the version privilege to consumers, as it's an implementation detail only to detect version mismatch
+      const missing = Object.keys(privilegesCheck.privileges)
+        .filter(p => !privilegesCheck.privileges[p])
+        .filter(p => p !== versionPrivilege);
+
+      if (privilegesCheck.hasAllRequested) {
+        return {
+          result: HAS_PRIVILEGES_RESULT.AUTHORIZED,
+          username,
+          missing,
+        };
       }
 
-      const success = privilegesCheck.hasAllRequested;
+      if (!privilegesCheck.privileges[loginPrivilege] && await hasPrivilegesOnKibanaIndex()) {
+        const msg = `Relying on implicit privileges determined from the index privileges is deprecated and will be removed in Kibana 7.0`;
+        server.log(['warning', 'deprecated', 'security'], msg);
+
+        return {
+          result: HAS_PRIVILEGES_RESULT.LEGACY,
+          username,
+          missing,
+        };
+      }
 
       return {
-        success,
-        // We don't want to expose the version privilege to consumers, as it's an implementation detail only to detect version mismatch
-        missing: Object.keys(privilegesCheck.privileges)
-          .filter(key => privilegesCheck.privileges[key] === false)
-          .filter(p => p !== versionPrivilege),
-        username: privilegesCheck.username,
+        result: HAS_PRIVILEGES_RESULT.UNAUTHORIZED,
+        username,
+        missing,
       };
     };
   };