chore(streams): returns 403 when user has no read access#217742
chore(streams): returns 403 when user has no read access#217742kdelemme merged 10 commits intoelastic:mainfrom
Conversation
kdelemme
added
v9.1.0
v8.19.0
backport:version
| export async function getCustomRoleApiClient<TServerRouteRepository extends ServerRouteRepository>( | ||
| st: ReturnType<typeof RoleScopedSupertestProvider> | ||
| ): Promise<RepositorySupertestClient<TServerRouteRepository>> { | ||
| return await getApiClient(st, 'customRole'); | ||
| } | ||
|
|
||
| export async function getAdminApiClient<TServerRouteRepository extends ServerRouteRepository>( | ||
| st: ReturnType<typeof RoleScopedSupertestProvider> | ||
| ): Promise<RepositorySupertestClient<TServerRouteRepository>> { | ||
| return await getApiClient(st, 'admin'); | ||
| } | ||
|
|
There was a problem hiding this comment.
I didn't want to change all the tests so I kept getAdminApiClient but one could argue we could have only one getApiClient(st, "role") instead... let me know if I should consolidate this or if it's fine like this
There was a problem hiding this comment.
I'm in favor of keeping the function split by role, it makes it much easier to audit later where we are using which role by a simple reference check
kdelemme
force-pushed
the
streams/read-authorization-error
branch
from
7159443 to
36eca18
Compare
|
I thought I had a good idea |
|
|
||
| describe('read streams', () => { | ||
| it('fails when users has not read access', async () => { | ||
| await getStream(customRoleApiClient, STREAM_NAME, 403); |
There was a problem hiding this comment.
It's minor but perhaps we should actually test that is succeeds for the admin role?
There was a problem hiding this comment.
it won't hurt adding it, but I have a problem with my setup since customRole does not seem to be available on serverless env
elastic-vault-github-plugin-prod
bot
requested a review
from a team
as a code owner
dmlemeshko
left a comment
dmlemeshko
left a comment
There was a problem hiding this comment.
left a comment, should be an easy fix
| export async function getCustomRoleApiClient<TServerRouteRepository extends ServerRouteRepository>( | ||
| st: ReturnType<typeof RoleScopedSupertestProvider> | ||
| ): Promise<RepositorySupertestClient<TServerRouteRepository>> { | ||
| return await getApiClient(st, 'customRole'); |
There was a problem hiding this comment.
In #217882 I'm changing the custom role naming and you will have to get the value via samlAuth.getCustomRole()
Could you make a change so that it won't be broken in the follow-up PR?
There was a problem hiding this comment.
I should be able, let's see. I'll wait for your change to happen before updating
jasonrhodes
left a comment
jasonrhodes
left a comment
There was a problem hiding this comment.
Approving on behalf of "Observability UI" without having looked at this much ... FWIW looks like this was triggered by the test_serverless/functional/.../streams/ directory, the index.ts and read_privilege.ts files. @miltonhultgren is in the "Observability UI" GH team so his review should have satisfied that CODEOWNERS requirement. Who knows.
|
Could be those changes happened after my approval? |
|
blocked until #217882 is merged |
|
@kdelemme seems like this is ready to go? |
|
@flash1293 saml customRoles api should have changed, let me see if I don't have to fix something |
kdelemme
changed the title
|
@flash1293 tests should be fixed now |
dmlemeshko
left a comment
dmlemeshko
left a comment
There was a problem hiding this comment.
Code LGTM, thanks for adding CustomRoleScopedSupertestProvider
💚 Build Succeeded
Metrics [docs]
History
|
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/14501511251 |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
kibanamachine
added
the
backport missing
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
2 similar comments
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
) (cherry picked from commit e57a825) # Conflicts: # x-pack/test_serverless/functional/test_suites/observability/index.feature_flags.ts
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
) (#218954) # Backport This will backport the following commits from `main` to `8.19`: - [chore(streams): returns 403 when user has no read access (#217742)](#217742) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Kevin Delemme","email":"kevin.delemme@elastic.co"},"sourceCommit":{"committedDate":"2025-04-16T20:03:18Z","message":"chore(streams): returns 403 when user has no read access (#217742)","sha":"e57a8259648e854891ba5c421abf0ed82c6bc9f0","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport missing","backport:version","v9.1.0","v8.19.0"],"title":"chore(streams): returns 403 when user has no read access","number":217742,"url":"https://github.com/elastic/kibana/pull/217742","mergeCommit":{"message":"chore(streams): returns 403 when user has no read access (#217742)","sha":"e57a8259648e854891ba5c421abf0ed82c6bc9f0"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/217742","number":217742,"mergeCommit":{"message":"chore(streams): returns 403 when user has no read access (#217742)","sha":"e57a8259648e854891ba5c421abf0ed82c6bc9f0"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
kibanamachine
removed
the
backport missing
8 participants
Summary
Resolves https://github.com/elastic/streams-program/issues/247
This PR changes the error thrown when attempting to access a stream without the read privileges, from 404 to 403.
I had to use the functional tests feature flags setup to be able to use custom role on serverless: More details