[7.x] Security - Role Mappings UI (#53620)

docs/user/security/index.asciidoc

@@ -37,4 +37,5 @@ cause Kibana's authorization to behave unexpectedly.
 include::authorization/index.asciidoc[]
 include::authorization/kibana-privileges.asciidoc[]
 include::api-keys/index.asciidoc[]
+include::role-mappings/index.asciidoc[]
 include::rbac_tutorial.asciidoc[]

docs/user/security/role-mappings/index.asciidoc

@@ -0,0 +1,51 @@
+[role="xpack"]
+[[role-mappings]]
+=== Role mappings
+
+Role mappings allow you to describe which roles to assign to your users
+using a set of rules. Role mappings are required when authenticating via
+an external identity provider, such as Active Directory, Kerberos, PKI, OIDC,
+or SAML.
+
+Role mappings have no effect for users inside the `native` or `file` realms.
+
+To manage your role mappings, use *Management > Security > Role Mappings*.
+
+With *Role mappings*, you can:
+
+* View your configured role mappings
+* Create/Edit/Delete role mappings
+
+[role="screenshot"]
+image:user/security/role-mappings/images/role-mappings-grid.png["Role mappings"]
+
+
+[float]
+=== Create a role mapping
+
+To create a role mapping, navigate to *Management > Security > Role Mappings*, and click **Create role mapping**.
+Give your role mapping a unique name, and choose which roles you wish to assign to your users.
+If you need more flexibility, you can use {ref}/security-api-put-role-mapping.html#_role_templates[role templates] instead.
+
+Next, define the rules describing which users should receive the roles you defined. Rules can optionally grouped and nested, allowing for sophisticated logic to suite complex requirements.
+View the {ref}/role-mapping-resources.html[role mapping resources for an overview of the allowed rule types].
+
+
+[float]
+=== Example
+
+Let's create a `sales-users` role mapping, which assigns a `sales` role to users whose username
+starts with `sls_`, *or* belongs to the `executive` group.
+
+First, we give the role mapping a name, and assign the `sales` role:
+
+[role="screenshot"]
+image:user/security/role-mappings/images/role-mappings-create-step-1.png["Create role mapping, step 1"]
+
+Next, we define the two rules, making sure to set the group to *Any are true*:
+
+[role="screenshot"]
+image:user/security/role-mappings/images/role-mappings-create-step-2.gif["Create role mapping, step 2"]
+
+Click *Save role mapping* once you're finished.
+

test/common/services/security/role_mappings.ts

@@ -0,0 +1,66 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import axios, { AxiosInstance } from 'axios';
+import util from 'util';
+import { ToolingLog } from '@kbn/dev-utils';
+
+export class RoleMappings {
+  private log: ToolingLog;
+  private axios: AxiosInstance;
+
+  constructor(url: string, log: ToolingLog) {
+    this.log = log;
+    this.axios = axios.create({
+      headers: { 'kbn-xsrf': 'x-pack/ftr/services/security/role_mappings' },
+      baseURL: url,
+      maxRedirects: 0,
+      validateStatus: () => true, // we do our own validation below and throw better error messages
+    });
+  }
+
+  public async create(name: string, roleMapping: Record<string, any>) {
+    this.log.debug(`creating role mapping ${name}`);
+    const { data, status, statusText } = await this.axios.post(
+      `/internal/security/role_mapping/${name}`,
+      roleMapping
+    );
+    if (status !== 200) {
+      throw new Error(
+        `Expected status code of 200, received ${status} ${statusText}: ${util.inspect(data)}`
+      );
+    }
+    this.log.debug(`created role mapping ${name}`);
+  }
+
+  public async delete(name: string) {
+    this.log.debug(`deleting role mapping ${name}`);
+    const { data, status, statusText } = await this.axios.delete(
+      `/internal/security/role_mapping/${name}`
+    );
+    if (status !== 200 && status !== 404) {
+      throw new Error(
+        `Expected status code of 200 or 404, received ${status} ${statusText}: ${util.inspect(
+          data
+        )}`
+      );
+    }
+    this.log.debug(`deleted role mapping ${name}`);
+  }
+}

test/common/services/security/security.ts

@@ -21,6 +21,7 @@ import { format as formatUrl } from 'url';
 
 import { Role } from './role';
 import { User } from './user';
+import { RoleMappings } from './role_mappings';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
 export function SecurityServiceProvider({ getService }: FtrProviderContext) {
@@ -30,6 +31,7 @@ export function SecurityServiceProvider({ getService }: FtrProviderContext) {
 
   return new (class SecurityService {
     role = new Role(url, log);
+    roleMappings = new RoleMappings(url, log);
     user = new User(url, log);
   })();
 }

x-pack/dev-tools/jest/create_jest_config.js

@@ -28,6 +28,7 @@ export function createJestConfig({ kibanaDirectory, xPackKibanaDirectory }) {
       '\\.(css|less|scss)$': `${kibanaDirectory}/src/dev/jest/mocks/style_mock.js`,
       '^test_utils/enzyme_helpers': `${xPackKibanaDirectory}/test_utils/enzyme_helpers.tsx`,
       '^test_utils/find_test_subject': `${xPackKibanaDirectory}/test_utils/find_test_subject.ts`,
+      '^test_utils/stub_web_worker': `${xPackKibanaDirectory}/test_utils/stub_web_worker.ts`,
     },
     coverageDirectory: '<rootDir>/../target/kibana-coverage/jest',
     coverageReporters: ['html'],

x-pack/legacy/plugins/security/common/model.ts

@@ -11,12 +11,17 @@ export {
   BuiltinESPrivileges,
   EditUser,
   FeaturesPrivileges,
+  InlineRoleTemplate,
+  InvalidRoleTemplate,
   KibanaPrivileges,
   RawKibanaFeaturePrivileges,
   RawKibanaPrivileges,
   Role,
   RoleIndexPrivilege,
   RoleKibanaPrivilege,
+  RoleMapping,
+  RoleTemplate,
+  StoredRoleTemplate,
   User,
   canUserChangePassword,
   getUserDisplayName,

x-pack/legacy/plugins/security/public/lib/role_mappings_api.ts

@@ -0,0 +1,58 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { CoreSetup } from 'src/core/public';
+import { RoleMapping } from '../../common/model';
+
+interface CheckRoleMappingFeaturesResponse {
+  canManageRoleMappings: boolean;
+  canUseInlineScripts: boolean;
+  canUseStoredScripts: boolean;
+  hasCompatibleRealms: boolean;
+}
+
+type DeleteRoleMappingsResponse = Array<{
+  name: string;
+  success: boolean;
+  error?: Error;
+}>;
+
+export class RoleMappingsAPI {
+  constructor(private readonly http: CoreSetup['http']) {}
+
+  public async checkRoleMappingFeatures(): Promise<CheckRoleMappingFeaturesResponse> {
+    return this.http.get(`/internal/security/_check_role_mapping_features`);
+  }
+
+  public async getRoleMappings(): Promise<RoleMapping[]> {
+    return this.http.get(`/internal/security/role_mapping`);
+  }
+
+  public async getRoleMapping(name: string): Promise<RoleMapping> {
+    return this.http.get(`/internal/security/role_mapping/${encodeURIComponent(name)}`);
+  }
+
+  public async saveRoleMapping(roleMapping: RoleMapping) {
+    const payload = { ...roleMapping };
+    delete payload.name;
+
+    return this.http.post(
+      `/internal/security/role_mapping/${encodeURIComponent(roleMapping.name)}`,
+      { body: JSON.stringify(payload) }
+    );
+  }
+
+  public async deleteRoleMappings(names: string[]): Promise<DeleteRoleMappingsResponse> {
+    return Promise.all(
+      names.map(name =>
+        this.http
+          .delete(`/internal/security/role_mapping/${encodeURIComponent(name)}`)
+          .then(() => ({ success: true, name }))
+          .catch(error => ({ success: false, name, error }))
+      )
+    );
+  }
+}

x-pack/legacy/plugins/security/public/views/management/_index.scss

@@ -1,3 +1,4 @@
 @import './change_password_form/index';
 @import './edit_role/index';
-@import './edit_user/index';
+@import './edit_user/index';
+@import './role_mappings/edit_role_mapping/index';

x-pack/legacy/plugins/security/public/views/management/breadcrumbs.ts

@@ -86,3 +86,30 @@ export function getApiKeysBreadcrumbs() {
     },
   ];
 }
+
+export function getRoleMappingBreadcrumbs() {
+  return [
+    MANAGEMENT_BREADCRUMB,
+    {
+      text: i18n.translate('xpack.security.roleMapping.breadcrumb', {
+        defaultMessage: 'Role Mappings',
+      }),
+      href: '#/management/security/role_mappings',
+    },
+  ];
+}
+
+export function getEditRoleMappingBreadcrumbs($route: Record<string, any>) {
+  const { name } = $route.current.params;
+  return [
+    ...getRoleMappingBreadcrumbs(),
+    {
+      text:
+        name ||
+        i18n.translate('xpack.security.roleMappings.createBreadcrumb', {
+          defaultMessage: 'Create',
+        }),
+      href: `#/management/security/role_mappings/edit/${name}`,
+    },
+  ];
+}

x-pack/legacy/plugins/security/public/views/management/management.js

@@ -11,9 +11,11 @@ import 'plugins/security/views/management/roles_grid/roles';
 import 'plugins/security/views/management/api_keys_grid/api_keys';
 import 'plugins/security/views/management/edit_user/edit_user';
 import 'plugins/security/views/management/edit_role/index';
+import 'plugins/security/views/management/role_mappings/role_mappings_grid';
+import 'plugins/security/views/management/role_mappings/edit_role_mapping';
 import routes from 'ui/routes';
 import { xpackInfo } from 'plugins/xpack_main/services/xpack_info';
-import { ROLES_PATH, USERS_PATH, API_KEYS_PATH } from './management_urls';
+import { ROLES_PATH, USERS_PATH, API_KEYS_PATH, ROLE_MAPPINGS_PATH } from './management_urls';
 
 import { management } from 'ui/management';
 import { npSetup } from 'ui/new_platform';
@@ -38,11 +40,23 @@ routes
     resolve: {
       securityManagementSection: function() {
         const showSecurityLinks = xpackInfo.get('features.security.showLinks');
+        const showRoleMappingsManagementLink = xpackInfo.get(
+          'features.security.showRoleMappingsManagement'
+        );
 
         function deregisterSecurity() {
           management.deregister('security');
         }
 
+        function deregisterRoleMappingsManagement() {
+          if (management.hasItem('security')) {
+            const security = management.getSection('security');
+            if (security.hasItem('roleMappings')) {
+              security.deregister('roleMappings');
+            }
+          }
+        }
+
         function ensureSecurityRegistered() {
           const registerSecurity = () =>
             management.register('security', {
@@ -88,11 +102,26 @@ routes
               url: `#${API_KEYS_PATH}`,
             });
           }
+
+          if (showRoleMappingsManagementLink && !security.hasItem('roleMappings')) {
+            security.register('roleMappings', {
+              name: 'securityRoleMappingLink',
+              order: 30,
+              display: i18n.translate('xpack.security.management.roleMappingsTitle', {
+                defaultMessage: 'Role Mappings',
+              }),
+              url: `#${ROLE_MAPPINGS_PATH}`,
+            });
+          }
         }
 
         if (!showSecurityLinks) {
           deregisterSecurity();
         } else {
+          if (!showRoleMappingsManagementLink) {
+            deregisterRoleMappingsManagement();
+          }
+
           // getCurrentUser will reject if there is no authenticated user, so we prevent them from
           // seeing the security management screens.
           return npSetup.plugins.security.authc

x-pack/legacy/plugins/security/public/views/management/management_urls.ts

@@ -12,3 +12,13 @@ export const CLONE_ROLES_PATH = `${ROLES_PATH}/clone`;
 export const USERS_PATH = `${SECURITY_PATH}/users`;
 export const EDIT_USERS_PATH = `${USERS_PATH}/edit`;
 export const API_KEYS_PATH = `${SECURITY_PATH}/api_keys`;
+export const ROLE_MAPPINGS_PATH = `${SECURITY_PATH}/role_mappings`;
+export const CREATE_ROLE_MAPPING_PATH = `${ROLE_MAPPINGS_PATH}/edit`;
+
+export const getEditRoleHref = (roleName: string) =>
+  `#${EDIT_ROLES_PATH}/${encodeURIComponent(roleName)}`;
+
+export const getCreateRoleMappingHref = () => `#${CREATE_ROLE_MAPPING_PATH}`;
+
+export const getEditRoleMappingHref = (roleMappingName: string) =>
+  `#${CREATE_ROLE_MAPPING_PATH}/${encodeURIComponent(roleMappingName)}`;