[GAP] - Role Management UI

test/functional/page_objects/visualize_page.js

@@ -700,12 +700,9 @@ export function VisualizePageProvider({ getService, getPageObjects }) {
       ));
     }
 
-    async saveVisualizationExpectFail(vizName, { saveAsNew = false } = {}) {
-      await this.saveVisualization(vizName, { saveAsNew });
-      const errorToast = await testSubjects.exists('saveVisualizationError', {
-        timeout: defaultFindTimeout
-      });
-      expect(errorToast).to.be(true);
+    async expectNoSaveOption() {
+      const saveButtonExists = await testSubjects.exists('visualizeSaveButton');
+      expect(saveButtonExists).to.be(false);
     }
 
     async clickLoadSavedVisButton() {

x-pack/plugins/apm/index.js

@@ -71,7 +71,9 @@ export function apm(kibana) {
     init(server) {
       server.plugins.xpack_main.registerFeature({
         id: 'apm',
-        name: 'APM',
+        name: i18n.translate('xpack.apm.featureRegistry.apmFeatureName', {
+          defaultMessage: 'APM'
+        }),
         icon: 'apmApp',
         navLinkId: 'apm',
         catalogue: ['apm'],
@@ -86,7 +88,11 @@ export function apm(kibana) {
             },
             ui: []
           }
-        }
+        },
+        privilegesTooltip: i18n.translate('xpack.apm.privileges.tooltip', {
+          defaultMessage:
+            'A role with access to the apm-* indicies should be assigned to users to grant access'
+        })
       });
 
       initTransactionsApi(server);

x-pack/plugins/canvas/init.js

@@ -45,7 +45,7 @@ export default async function(server /*options*/) {
       all: {
         app: ['canvas', 'kibana'],
         savedObject: {
-          all: ['canvas'],
+          all: ['canvas-workpad'],
           read: ['config', 'index-pattern'],
         },
         ui: [],
@@ -54,7 +54,7 @@ export default async function(server /*options*/) {
         app: ['canvas', 'kibana'],
         savedObject: {
           all: [],
-          read: ['config', 'index-pattern', 'canvas'],
+          read: ['config', 'index-pattern', 'canvas-workpad'],
         },
         ui: [],
       },

x-pack/plugins/gis/index.js

@@ -11,6 +11,7 @@ import mappings from './mappings.json';
 import { checkLicense } from './check_license';
 import { watchStatusAndLicenseToInitialize } from
   '../../server/lib/watch_status_and_license_to_initialize';
+import { i18n } from '@kbn/i18n';
 
 export function gis(kibana) {
 
@@ -62,7 +63,9 @@ export function gis(kibana) {
 
         xpackMainPlugin.registerFeature({
           id: 'gis',
-          name: 'Maps',
+          name: i18n.translate('xpack.gis.featureRegistry.gisFeatureName', {
+            defaultMessage: 'Maps',
+          }),
           icon: 'gisApp',
           navLinkId: 'gis',
           catalogue: ['gis'],

x-pack/plugins/graph/index.js

@@ -5,7 +5,7 @@
  */
 
 import { resolve } from 'path';
-import Boom from 'boom';
+import { i18n } from '@kbn/i18n';
 
 import { initServer } from './server';
 import mappings from './mappings.json';
@@ -52,7 +52,9 @@ export function graph(kibana) {
 
       server.plugins.xpack_main.registerFeature({
         id: 'graph',
-        name: 'Graph',
+        name: i18n.translate('xpack.graph.featureRegistry.graphFeatureName', {
+          defaultMessage: 'Graph',
+        }),
         icon: 'graphApp',
         navLinkId: 'graph',
         catalogue: ['graph'],

x-pack/plugins/infra/server/kibana.index.ts

@@ -33,9 +33,10 @@ export const initServerWithKibana = (kbnServer: KbnServer) => {
   const xpackMainPlugin = kbnServer.plugins.xpack_main;
   xpackMainPlugin.registerFeature({
     id: 'infrastructure',
-    name: i18n.translate('xpack.infra.linkInfrastructureTitle', {
+    name: i18n.translate('xpack.infra.featureRegistry.linkInfrastructureTitle', {
       defaultMessage: 'Infrastructure',
     }),
+    icon: 'infraApp',
     navLinkId: 'infra:home',
     catalogue: ['infraops'],
     privileges: {
@@ -52,9 +53,10 @@ export const initServerWithKibana = (kbnServer: KbnServer) => {
 
   xpackMainPlugin.registerFeature({
     id: 'logs',
-    name: i18n.translate('xpack.infra.linkLogsTitle', {
+    name: i18n.translate('xpack.infra.featureRegistry.linkLogsTitle', {
       defaultMessage: 'Logs',
     }),
+    icon: 'loggingApp',
     navLinkId: 'infra:logs',
     catalogue: ['infralogging'],
     privileges: {

x-pack/plugins/ml/index.js

@@ -73,17 +73,15 @@ export const ml = (kibana) => {
 
       xpackMainPlugin.registerFeature({
         id: 'ml',
-        name: 'Machine Learning',
+        name: i18n.translate('xpack.ml.featureRegistry.mlFeatureName', {
+          defaultMessage: 'Machine Learning',
+        }),
         icon: 'machineLearningApp',
         navLinkId: 'ml',
         catalogue: ['ml'],
         privileges: {
           all: {
-            metadata: {
-              tooltip: i18n.translate('xpack.ml.privileges.tooltip', {
-                defaultMessage: 'The machine_learning_user or machine_learning_admin role should be assigned to grant access'
-              })
-            },
+            catalogue: ['ml'],
             grantWithBaseRead: true,
             app: ['ml', 'kibana'],
             savedObject: {
@@ -92,7 +90,10 @@ export const ml = (kibana) => {
             },
             ui: [],
           },
-        }
+        },
+        privilegesTooltip: i18n.translate('xpack.ml.privileges.tooltip', {
+          defaultMessage: 'The machine_learning_user or machine_learning_admin role should also be assigned to users to grant access'
+        })
       });
 
       // Add server routes and initialize the plugin here

x-pack/plugins/monitoring/init.js

@@ -57,17 +57,15 @@ export const init = (monitoringPlugin, server) => {
 
   xpackMainPlugin.registerFeature({
     id: 'monitoring',
-    name: 'Monitoring',
+    name: i18n.translate('xpack.monitoring.featureRegistry.monitoringFeatureName', {
+      defaultMessage: 'Stack Monitoring',
+    }),
     icon: 'monitoringApp',
     navLinkId: 'monitoring',
     catalogue: ['monitoring'],
     privileges: {
       all: {
-        metadata: {
-          tooltip: i18n.translate('xpack.monitoring.privileges.tooltip', {
-            defaultMessage: 'The monitoring_user role should be assigned to grant access'
-          })
-        },
+        catalogue: ['monitoring'],
         grantWithBaseRead: true,
         app: ['monitoring', 'kibana'],
         savedObject: {
@@ -76,7 +74,10 @@ export const init = (monitoringPlugin, server) => {
         },
         ui: [],
       },
-    }
+    },
+    privilegesTooltip: i18n.translate('xpack.monitoring.privileges.tooltip', {
+      defaultMessage: 'The monitoring_user role should also be assigned to users to grant access'
+    })
   });
 
   const bulkUploader = initBulkUploader(kbnServer, server);

x-pack/plugins/security/common/model/index.ts

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { Role } from './role';
+export { FeaturesPrivileges, PrivilegeMap, KibanaPrivilegeSpec } from './kibana_privilege';
+export { IndexPrivilege } from './index_privilege';
+export { PrivilegeDefinition } from './privileges/privilege_definition';
+export { GlobalPrivileges } from './privileges/global_privileges';
+export { SpacesPrivileges } from './privileges/spaces_privileges';
+export { FeaturePrivileges, FeaturePrivilegeSet } from './privileges/feature_privileges';

x-pack/plugins/security/common/model/kibana_privilege.ts

@@ -4,6 +4,17 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export type KibanaPrivilege = 'none' | 'read' | 'all';
+import { FeaturePrivilegeSet } from './privileges/feature_privileges';
+export type FeaturesPrivileges = Record<string, Record<string, string[]>>;
 
-export const KibanaAppPrivileges: KibanaPrivilege[] = ['read', 'all'];
+export interface PrivilegeMap {
+  global: Record<string, string[]>;
+  features: FeaturesPrivileges;
+  space: Record<string, string[]>;
+}
+
+export interface KibanaPrivilegeSpec {
+  spaces: string[];
+  base: string[];
+  feature: FeaturePrivilegeSet;
+}

x-pack/plugins/security/common/model/privileges/feature_privileges.ts

@@ -0,0 +1,39 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+interface FeaturePrivilegesMap {
+  [featureId: string]: {
+    [privilegeId: string]: string[];
+  };
+}
+
+export interface FeaturePrivilegeSet {
+  [featureId: string]: string[];
+}
+
+export class FeaturePrivileges {
+  constructor(private readonly featurePrivilegesMap: FeaturePrivilegesMap) {}
+
+  public getAllPrivileges(): FeaturePrivilegeSet {
+    return Object.entries(this.featurePrivilegesMap).reduce((acc, [featureId, privileges]) => {
+      return {
+        ...acc,
+        [featureId]: Object.keys(privileges),
+      };
+    }, {});
+  }
+
+  public getPrivileges(featureId: string): string[] {
+    return Object.keys(this.featurePrivilegesMap[featureId]);
+  }
+
+  public getActions(featureId: string, privilege: string): string[] {
+    if (!this.featurePrivilegesMap[featureId]) {
+      return [];
+    }
+    return this.featurePrivilegesMap[featureId][privilege] || [];
+  }
+}

x-pack/plugins/security/common/model/privileges/global_privileges.ts

@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export class GlobalPrivileges {
+  constructor(private readonly globalPrivilegesMap: Record<string, string[]>) {}
+
+  public getAllPrivileges(): string[] {
+    return Object.keys(this.globalPrivilegesMap);
+  }
+
+  public getActions(privilege: string): string[] {
+    return this.globalPrivilegesMap[privilege] || [];
+  }
+}

x-pack/plugins/security/common/model/privileges/privilege_definition.ts

@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { PrivilegeMap } from '../kibana_privilege';
+import { FeaturePrivileges } from './feature_privileges';
+import { GlobalPrivileges } from './global_privileges';
+import { SpacesPrivileges } from './spaces_privileges';
+
+export class PrivilegeDefinition {
+  constructor(private readonly privilegeActionMap: PrivilegeMap) {}
+
+  public getGlobalPrivileges() {
+    return new GlobalPrivileges(this.privilegeActionMap.global);
+  }
+
+  public getSpacesPrivileges() {
+    return new SpacesPrivileges(this.privilegeActionMap.space);
+  }
+
+  public getFeaturePrivileges() {
+    return new FeaturePrivileges(this.privilegeActionMap.features);
+  }
+}

x-pack/plugins/security/common/model/privileges/spaces_privileges.ts

@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export class SpacesPrivileges {
+  constructor(private readonly spacesPrivilegesMap: Record<string, string[]>) {}
+
+  public getAllPrivileges(): string[] {
+    return Object.keys(this.spacesPrivilegesMap);
+  }
+
+  public getActions(privilege: string): string[] {
+    return this.spacesPrivilegesMap[privilege] || [];
+  }
+}

x-pack/plugins/security/common/model/role.ts

@@ -5,7 +5,7 @@
  */
 
 import { IndexPrivilege } from './index_privilege';
-import { KibanaPrivilege } from './kibana_privilege';
+import { KibanaPrivilegeSpec } from './kibana_privilege';
 
 export interface Role {
   name: string;
@@ -14,16 +14,13 @@ export interface Role {
     indices: IndexPrivilege[];
     run_as: string[];
   };
-  kibana: {
-    global: KibanaPrivilege[];
-    space: {
-      [spaceId: string]: KibanaPrivilege[];
-    };
-  };
+  kibana: KibanaPrivilegeSpec[];
   metadata?: {
     [anyKey: string]: any;
   };
   transient_metadata?: {
     [anyKey: string]: any;
   };
+  _transform_error?: string[];
+  _unrecognized_applications?: string[];
 }

x-pack/plugins/security/index.js

@@ -10,6 +10,7 @@ import { getUserProvider } from './server/lib/get_user';
 import { initAuthenticateApi } from './server/routes/api/v1/authenticate';
 import { initUsersApi } from './server/routes/api/v1/users';
 import { initPublicRolesApi } from './server/routes/api/public/roles';
+import { initPrivilegesApi } from './server/routes/api/public/privileges';
 import { initIndicesApi } from './server/routes/api/v1/indices';
 import { initLoginView } from './server/routes/views/login';
 import { initLogoutView } from './server/routes/views/logout';
@@ -199,6 +200,7 @@ export const security = (kibana) => new kibana.Plugin({
     initUsersApi(server);
     initPublicRolesApi(server);
     initIndicesApi(server);
+    initPrivilegesApi(server);
     initLoginView(server, xpackMainPlugin);
     initLogoutView(server);
     initLoggedOutView(server);

x-pack/plugins/security/public/components/_index.scss

@@ -0,0 +1 @@
+@import './management/users/index';

x-pack/plugins/security/public/components/management/users/_index.scss

@@ -0,0 +1 @@
+@import './users';

x-pack/plugins/security/public/components/management/users/_users.scss

@@ -0,0 +1,16 @@
+// HACK -- Fix for background color full-height of browser
+.secUsersEditPage,
+.secUsersListingPage {
+  min-height: calc(100vh - 70px);
+}
+
+.secUsersListingPage__content {
+  flex-grow: 0;
+}
+
+.secUsersEditPage__content {
+  max-width: $secFormWidth;
+  margin-left: auto;
+  margin-right: auto;
+  flex-grow: 0;
+}