kobelb · kobelb · Nov 19, 2018 · Nov 20, 2018 · Nov 20, 2018 · Nov 20, 2018
diff --git a/x-pack/plugins/apm/index.js b/x-pack/plugins/apm/index.js
@@ -69,13 +69,17 @@ export function apm(kibana) {
         icon: 'apmApp',
         navLinkId: 'apm',
         privileges: {
-          all: {
-            app: ['apm'],
-            savedObject: {
-              all: [],
-              read: ['config']
-            },
-            ui: []
+          kibana: {
+            all: {
+              app: ['apm'],
+              savedObject: {
+                all: [],
+                read: ['config']
+              },
+              ui: {
+                navLink: true
+              }
+            }
           }
         }
       });

diff --git a/x-pack/plugins/canvas/init.js b/x-pack/plugins/canvas/init.js
@@ -33,21 +33,27 @@ export default async function(server /*options*/) {
     icon: 'canvasApp',
     navLinkId: 'canvas',
     privileges: {
-      all: {
-        app: ['canvas'],
-        savedObject: {
-          all: ['canvas'],
-          read: ['config', 'index-pattern'],
+      kibana: {
+        all: {
+          app: ['canvas'],
+          savedObject: {
+            all: ['canvas'],
+            read: ['config', 'index-pattern'],
+          },
+          ui: {
+            navLink: true,
+          },
         },
-        ui: [],
-      },
-      read: {
-        app: ['canvas'],
-        savedObject: {
-          all: [],
-          read: ['config', 'index-pattern', 'canvas'],
+        read: {
+          app: ['canvas'],
+          savedObject: {
+            all: [],
+            read: ['config', 'index-pattern', 'canvas'],
+          },
+          ui: {
+            navLink: true,
+          },
         },
-        ui: [],
       },
     },
   });

diff --git a/x-pack/plugins/graph/index.js b/x-pack/plugins/graph/index.js
@@ -56,21 +56,27 @@ export function graph(kibana) {
         icon: 'graphApp',
         navLinkId: 'graph',
         privileges: {
-          all: {
-            app: ['graph'],
-            savedObject: {
-              all: ['graph-workspace'],
-              read: ['config', 'index-pattern'],
+          kibana: {
+            all: {
+              app: ['graph'],
+              savedObject: {
+                all: ['graph-workspace'],
+                read: ['config', 'index-pattern'],
+              },
+              ui: {
+                navLink: true,
+              },
             },
-            ui: [],
-          },
-          read: {
-            app: ['graph'],
-            savedObject: {
-              all: [],
-              read: ['config', 'index-pattern', 'graph-workspace'],
-            },
-            ui: [],
+            read: {
+              app: ['graph'],
+              savedObject: {
+                all: [],
+                read: ['config', 'index-pattern', 'graph-workspace'],
+              },
+              ui: {
+                navLink: true,
+              },
+            }
           }
         }
       });

diff --git a/x-pack/plugins/ml/index.js b/x-pack/plugins/ml/index.js
@@ -69,14 +69,13 @@ export const ml = (kibana) => {
         icon: 'mlApp',
         navLinkId: 'ml',
         privileges: {
-          all: {
-            app: ['ml'],
-            savedObject: {
-              all: [],
-              read: ['config']
-            },
-            ui: [],
-          },
+          cluster: {
+            monitor_ml: {
+              ui: {
+                navLink: true,
+              },
+            }
+          }
         }
       });
 

diff --git a/x-pack/plugins/monitoring/init.js b/x-pack/plugins/monitoring/init.js
@@ -60,14 +60,18 @@ export const init = (monitoringPlugin, server) => {
     icon: 'monitoringApp',
     navLinkId: 'monitoring',
     privileges: {
-      all: {
-        app: ['monitoring'],
-        savedObject: {
-          all: [],
-          read: ['config'],
+      kibana: {
+        all: {
+          app: ['monitoring'],
+          savedObject: {
+            all: [],
+            read: ['config'],
+          },
+          ui: {
+            navLink: true,
+          },
         },
-        ui: [],
-      },
+      }
     }
   });
 

diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
@@ -20,7 +20,7 @@ import { checkLicense } from './server/lib/check_license';
 import { initAuthenticator } from './server/lib/authentication/authenticator';
 import { SecurityAuditLogger } from './server/lib/audit_logger';
 import { AuditLogger } from '../../server/lib/audit_logger';
-import { createAuthorizationService, disableUICapabilitesFactory, registerPrivilegesWithCluster } from './server/lib/authorization';
+import { createAuthorizationService, registerPrivilegesWithCluster, uiCapabilitesFactory } from './server/lib/authorization';
 import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status_and_license_to_initialize';
 import { SecureSavedObjectsClientWrapper } from './server/lib/saved_objects_client/secure_saved_objects_client_wrapper';
 import { deepFreeze } from './server/lib/deep_freeze';
@@ -91,18 +91,18 @@ export const security = (kibana) => new kibana.Plugin({
       };
     },
     replaceInjectedVars: async function (originalInjectedVars, request, server) {
-      const disableUICapabilites = disableUICapabilitesFactory(server, request);
+      const uiCapabilities = uiCapabilitesFactory(server, request);
       // if we're an anonymous route, we disable all ui capabilities
       if (request.route.settings.auth === false) {
         return {
           ...originalInjectedVars,
-          uiCapabilities: disableUICapabilites.all(originalInjectedVars.uiCapabilities)
+          uiCapabilities: uiCapabilities.disableAll(originalInjectedVars.uiCapabilities)
         };
       }
 
       return {
         ...originalInjectedVars,
-        uiCapabilities: await disableUICapabilites.usingPrivileges(originalInjectedVars.uiCapabilities)
+        uiCapabilities: await uiCapabilities.disableUsingPrivileges(originalInjectedVars.uiCapabilities)
       };
     }
   },
@@ -212,17 +212,6 @@ export const security = (kibana) => new kibana.Plugin({
       const { actions, checkPrivilegesDynamicallyWithRequest } = server.plugins.security.authorization;
       const checkPrivileges = checkPrivilegesDynamicallyWithRequest(req);
 
-      // Enforce app restrictions
-      if (path.startsWith('/app/')) {
-        const appId = path.split('/', 3)[2];
-        const appAction = actions.app.get(appId);
-
-        const checkPrivilegesResponse = await checkPrivileges(appAction);
-        if (!checkPrivilegesResponse.hasAllRequested) {
-          return Boom.notFound();
-        }
-      }
-
       // Enforce API restrictions for associated applications
       if (path.startsWith('/api/')) {
         const { tags = [] } = req.route.settings;

diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.ts.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.ts.snap
@@ -2,11 +2,13 @@
 
 exports[`#atSpace throws error when checking for login and user has login but doesn't have version 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
 
-exports[`#atSpace with a malformed Elasticsearch response throws a validation error when an extra privilege is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_1" fails because ["saved_object:bar-type/get" is not allowed]]]]`;
+exports[`#atSpace with a malformed Elasticsearch response throws a validation error when a cluster privilege is missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "cluster" fails because [child "monitor_bar" fails because ["monitor_bar" is required]]]`;
+
+exports[`#atSpace with a malformed Elasticsearch response throws a validation error when an extra cluster privilege is in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "cluster" fails because ["manage_bar" is not allowed]]`;
 
-exports[`#atSpace with a malformed Elasticsearch response throws a validation error when privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_1" fails because [child "saved_object:foo-type/get" fails because ["saved_object:foo-type/get" is required]]]]]`;
+exports[`#atSpace with a malformed Elasticsearch response throws a validation error when an extra privilege is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_1" fails because ["saved_object:bar-type/get" is not allowed]]]]`;
 
-exports[`#atSpaces throws error when Elasticsearch returns malformed response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_1" fails because [child "mock-action:version" fails because ["mock-action:version" is required]]]]]`;
+exports[`#atSpace with a malformed Elasticsearch response throws a validation error when application privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_1" fails because [child "saved_object:foo-type/get" fails because ["saved_object:foo-type/get" is required]]]]]`;
 
 exports[`#atSpaces throws error when checking for login and user has login but doesn't have version 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
 
@@ -16,12 +18,20 @@ exports[`#atSpaces with a malformed Elasticsearch response throws a validation e
 
 exports[`#atSpaces with a malformed Elasticsearch response throws a validation error when an extra space is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because ["space:space_3" is not allowed]]]`;
 
+exports[`#atSpaces with a malformed Elasticsearch response throws a validation error when missing a cluster privilege in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "cluster" fails because [child "monitor_bar" fails because ["monitor_bar" is required]]]`;
+
 exports[`#atSpaces with a malformed Elasticsearch response throws a validation error when privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_2" fails because ["space:space_2" is required]]]]`;
 
-exports[`#globally throws error when Elasticsearch returns malformed response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "*" fails because [child "mock-action:version" fails because ["mock-action:version" is required]]]]]`;
+exports[`#atSpaces with a malformed Elasticsearch response throws a validation error when there's an extra cluster privilege in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "cluster" fails because ["manage_bar" is not allowed]]`;
+
+exports[`#atSpaces with a malformed Elasticsearch response throws error when Elasticsearch returns malformed response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_1" fails because [child "mock-action:version" fails because ["mock-action:version" is required]]]]]`;
 
 exports[`#globally throws error when checking for login and user has login but doesn't have version 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
 
+exports[`#globally with a malformed Elasticsearch response throws a validation error when an extra cluster privilege is in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "cluster" fails because ["manage_bar" is not allowed]]`;
+
 exports[`#globally with a malformed Elasticsearch response throws a validation error when an extra privilege is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "*" fails because ["saved_object:bar-type/get" is not allowed]]]]`;
 
+exports[`#globally with a malformed Elasticsearch response throws a validation error when cluster privilege is missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "cluster" fails because [child "monitor_bar" fails because ["monitor_bar" is required]]]`;
+
 exports[`#globally with a malformed Elasticsearch response throws a validation error when privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "*" fails because [child "saved_object:foo-type/get" fails because ["saved_object:foo-type/get" is required]]]]]`;
diff --git a/...gins/security/server/lib/authorization/__snapshots__/disable_ui_capabilities.test.ts.snap b/...gins/security/server/lib/authorization/__snapshots__/disable_ui_capabilities.test.ts.snap
diff --git a/...plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.ts.snap b/...plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.ts.snap
@@ -1,5 +1,9 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
+exports[`validateEsPrivilegeResponse fails validation when a cluster privilege is malformed in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"cluster\\" fails because [child \\"clusterPrivilege2\\" fails because [\\"clusterPrivilege2\\" must be a boolean]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when a cluster privilege is missing in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"cluster\\" fails because [child \\"clusterPrivilege2\\" fails because [\\"clusterPrivilege2\\" is required]]"`;
+
 exports[`validateEsPrivilegeResponse fails validation when an action is malformed in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [child \\"action3\\" fails because [\\"action3\\" must be a boolean]]]]"`;
 
 exports[`validateEsPrivilegeResponse fails validation when an action is missing in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [child \\"action2\\" fails because [\\"action2\\" is required]]]]"`;
@@ -19,3 +23,5 @@ exports[`validateEsPrivilegeResponse fails validation when the requested applica
 exports[`validateEsPrivilegeResponse fails validation when the resource propertry is malformed in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"foo-resource\\" must be an object]]]"`;
 
 exports[`validateEsPrivilegeResponse fails validation when there are no resource properties in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"foo-resource\\" is required]]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when there is an extra cluster privilege in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"cluster\\" fails because [\\"clusterPrivilege3\\" is not allowed]"`;