Custom privilege definition on roles

[elasticmachine]

Original comment by @jaymode:

In order to support security for other components of the stack, we will provide a primitive on the roles that exist in elasticsearch. This primitive is a new entry or entries alongside the current indices and cluster entries. The entries would contain an array of arbitrary string values.

If other applications in the stack need the ability to get a view of the current user's combined privileges, we would need an API to render this combined view. When merging roles we should simply combine all of the lists.

[elasticmachine]

Original comment by @skearns64:

If other applications in the stack need the ability to get a view of the current user's combined privileges, we would need an API to render this combined view

I'm +1 to an "effective privileges" API (LINK REDACTED), but would it be possible to also integrate these custom privileges with the has_privileges API?

[elasticmachine]

Original comment by @joshbressers:

After a chat with the Kibana folks they're going to want this feature to enable Spaces properly (they can live without OLS for now). We will probably want to bump the priority of this feature.

[elasticmachine]

Original comment by @jaymode:

@epixa do you have an idea of what you would need from us in terms of API/capabilities?

[elasticmachine]

Original comment by @epixa:

@jaymode At this point, I think we just need the ability to specify new privileges as strings and then have those privileges assigned to roles and returned via the has_privileges api.

[elasticmachine]

Original comment by @tvernum:

@epixa (and @jordansissel / @andrewvc if this is going to be useful to Logstash)

I've started implementing this, and there are 2 potential features that have a big impact on the implementation complexity. They're both achievable if they're truly useful (I have a prototype already), but I don't want to do them unless we actually need them.

1. pre-defined privileges
2. privileges on resources

pre-defined privileges

We have a choice, either privileges are just a string, or they are pre-defined objects.

I'll do my best to explain as succintly as possible.

If we have "just a string", then a role can have:

"custom": [ "kibana:read", "kibana:write" ]

And that's easy. But it means that "kibana:write" doesn't imply "kibana:create" because they're just strings, and they don't mean anything inside ES.

So

GET /_xpack/security/user/_has_privileges
{
   "custom": [ "kibana:write", "kibana:create" ]
}

would return

"kibana:write": true,
"kibana:create" false

And, likewise, kibana:all doesn't mean anything special to ES.

So, if Kibana (or Logstash, etc) wants to have a rich set of privileges like all implies read+write and write implies create+update+delete, then there would be 3 choices for implementing that on top of the "just a string" model, none of which are great.

1. expand them at role creation time, so if a role is supposed to have "kibana:all", you actually write it with

   "custom" : [ "kibana:all", "kibana:read", "kibana:write", "kibana:create", "kibana:update", "kibana:delete" ]
   

   and then when Kibana 7.0 adds a new "kibana:admin", you find all the roles with kibana:all and add kibana:admin into the list.
2. implement the implies logic at read time, so if you want to check "delete" access, you need to ask:

   GET /_xpack/security/user/_has_privileges
   {
       "custom": [ "kibana:all", "kibana:write", "kibana:delete" ]
   }
   

   and then the user has "delete" if it any of those privileges are true.
3. try and solve it with patterns instead of names. Instead of storing "kibana:all", you store "kibana:*" and "write" becomes "kibana:write/* and delete is "kibana:write/delete". Then ES can handle the all implies write implies delete logic by evaluating Automata, which we already support. But it means roles have seemingly artibrary magic patterns in them, and every kibana privilege needs to be planned out to fit into a perfect tree.

All of those end up trying to replicate functionality that ES already has for cluster and index privileges, because we treat those privileges as objects rather than strings.

We can do that for custom privileges, but it requires creating a full API to CRUD a custom privilege, and it means that resolving a user's custom privileges depends on reading them in from security index, so it's not just implementation effort, it's also runtime complexity.
But it would mean you could do something like

PUT /_xpack/security/privilege/kibana:all
{   "actions": [ "kibana:*" ] }

PUT /_xpack/security/privilege/kibana:read
{   "actions": [ "kibana:read/*" ] }

PUT /_xpack/security/privilege/kibana:write
{   "actions": [ "kibana:write/*" ] }

PUT /_xpack/security/privilege/kibana:delete
{   "actions": [ "kibana:write/delete/*" ] }

And then

GET /_xpack/security/user/_has_privileges
{
    "custom": [ "kibana:delete" ]
}

would work correctly for users with "all", "write" or "delete"
as would

GET /_xpack/security/user/_has_privileges
{
    "custom": [ "kibana:delete/dashboard" ]
}

I've elected to use a tree based model for custom actions there because it's worked well for ES, and it seems logical to do the same thing for custom privileges if we go down the pre-defined objects path, but it's certainly open for discussion.

privileges on resources

Cluster privileges are all or nothing - you have "monitor" for the whole cluster, or none of it.
Index privileges are tied to a resource - you have "read" for index-a, and "write" for index-b, but nothing on "index-c".

I can make custom privileges work like cluster privileges, or like index privileges (with the latter being added complexity).
Modeling a whole-application permission with a resource-bound privilege is easy, you can just assign the * resource and it will behave correctly (although it's could lead to confusion with customers).
It's very hard to get resource-level permissions using non-resourced privileges, so if you need them, ES should support them properly, but we get a simpler model if we can avoid it.

Side Note: Naming

During my prototype, I found myself getting the words "cluster" and "custom" confused a lot in my typing. I'd like to name "custom" privileges something else. My suggestions would be (in order of my preference)

• application
• external
• bespoke

[elasticmachine]

Original comment by @epixa:

cc @kobelb as he'll be doing or coordinating most of the work around this stuff on Kibana's end.

Implementation

Kibana will need the ability to manage a role hierarchy, and I think from an end-user perspective it should behave similarly to ES.

it's also runtime complexity.

Other than the existence of additional REST endpoints, how does the complexity of this implementation differ from the way ES privileges are handled today? It seems like we need to implement the complexity somewhere one way or another, so to me it's a question of whether we do it in ES or in Kibana, so understanding exactly what would be new complexity to ES is important here.

privileges on resources

This is a little tricky for Kibana. On the surface, we want kibana-wide privileges which are sort of like cluster level privileges. There wouldn't be any concept of "write" for .kibana but only "read" for .reporting, for example. You'd simply have the "write" privilege for all of kibana.

The challenge here is that some people run multiple different kibana apps on a single cluster. I can only think of one way to support this: we do index-level permissions and then hang all of the permissions for a single kibana install off of its corresponding .kibana index. Kibana then always check privileges on its index regardless of whether it ultimately accesses somewhere else like .reporting.

I'm open to ideas here, though!

Naming

I don't have strong opinions about this, but if we do cluster-level privileges, calling them "application" privileges doesn't seem accurate. If we did index level privileges or if ES somehow tracked the notion of external applications, then application privileges would make a lot of sense to me. External privileges seems fine either way.

[elasticmachine]

Original comment by @kobelb:

Court's done a good job, like usual, summarizing Kibana's usage/needs.

The challenge here is that some people run multiple different kibana apps on a single cluster. I can only think of one way to support this: we do index-level permissions and then hang all of the permissions for a single kibana install off of its corresponding .kibana index. Kibana then always check privileges on its index regardless of whether it ultimately accesses somewhere else like .reporting.

I think this makes sense, and I can't think of a better alternative. The only other option I can think of would be to keep the reporting custom privileges/roles in the .reporting index, but then we'd have to enumerate all of the application indices when allowing users to choose custom roles for users, making this process more complicated. I don't see any downsides to putting all of these roles/privileges in the .kibana index that corresponds to the .reporting index.

[elasticmachine]

Original comment by @tvernum:

Other than the existence of additional REST endpoints, how does the complexity of this implementation differ from the way ES privileges are handled today?

The main difference is that the existing privileges are all fixed in code, and available with zero-lookup.

API-defined privileges need to be stored in an index (technically there's other places, but it would be an index) which means we need to do I/O and async lookups and deal with unavailable shards, etc.

All of which is totally fine - we do it for users, roles, role mappings, etc etc. But it's overhead that we don't want to pay for if no one needs it.

[elasticmachine]

Original comment by @kobelb:

The main difference is that the existing privileges are all fixed in code, and available with zero-lookup.

API-defined privileges need to be stored in an index (technically there's other places, but it would be an index) which means we need to do I/O and async lookups and deal with unavailable shards, etc.

All of which is totally fine - we do it for users, roles, role mappings, etc etc. But it's overhead that we don't want to pay for if no one needs it.

It'll definitely be used by Kibana, and would provide a more consistent approach, so I'd also prefer it was added on the Elasticsearch side of things.

[elasticmachine]

Original comment by @tvernum:

The challenge here is that some people run multiple different kibana apps on a single cluster. I can only think of one way to support this: we do index-level permissions and then hang all of the permissions for a single kibana install off of its corresponding .kibana index. Kibana then always check privileges on its index regardless of whether it ultimately accesses somewhere else like .reporting

In my examples above, I name spaced all the Kibana privileges, e.g. kibana:read (or maybe kibana:reporting is more representative). I plan on enforcing that external-bespoke-application privileges have an application prefix.
If you had some system for enforcing unique "kibana-name" across the kibana instances, the you could put the privileges into separate namespaces - kibana-sales:reporting, kibana-soc:reporting etc.
I suspect that would get messy with renaming, and uniqueness. But it would make version upgrades easier (upgrading 1 kibana wouldn't change the privilege set for another kibana).

[elasticmachine]

Original comment by @clintongormley:

I think before we can answer a question about how to structure these privileges, we should make a big list of all the privileges that we need. The answer should fall out of that

[elasticmachine]

Original comment by @epixa:

We don't know all of the privileges we'll need, but I can give an example that includes some that we do know. For the sake of not conflating our needs with any specific implementation, I'm just going to describe intentions here rather than actually giving each privilege a specific name. Nesting is represented with indents, so to give access to all children, you'd only need to give access to the parent.

can access kibana (can they login and have a user profile?)
developer access (can they use dev tools?)
monitoring access (can they access monitoring?)
reporting access (own reports only, may not actually be necessary if we apply OLS to reporting)
management access (can they access the management app?)
    manage active user sessions
admin access
    read global kibana data (e.g. user profiles, system health, installed plugins)
    execute global kibana actions (e.g. changing settings)
    reporting admin
        can see all reports
        can delete any report

This is just a straw man. I can envision a totally different approach to privilege hierarchy that breaks down privileges by the [core_]plugins that they are relevant to alongside a single set of "global" admin level privileges. From an ES perspective, the two approaches are identical.

[elasticmachine]

Original comment by @kobelb:

If you had some system for enforcing unique "kibana-name" across the kibana instances, the you could put the privileges into separate namespaces - kibana-sales:reporting, kibana-soc:reporting etc.
I suspect that would get messy with renaming, and uniqueness. But it would make version upgrades easier (upgrading 1 kibana wouldn't change the privilege set for another kibana).

Just to clarify how this will likely work, when we create a specific role that has the custom Kibana privileges it will be scoped to specific indices, as this is the way that Elasticsearch roles work currently. By default we'd created the role that grants privileges to the default .kibana index. If the user wished to create a separate instance of Kibana that used a different index, they'd have to duplicate this role with the custom privileges and assign it to the different index.

Within Kibana's server, we'd be verifying that the user has a role with specific custom privileges on the index. By convention, we'd be requiring users to create these namespaces themselves.

[elasticmachine]

Original comment by @kobelb:

After the discussion at engineering all hands, @legrego and I discussed how custom privileges on roles could be used by RBAC, and it's something we'd like to use. Additionally, the ability to specify the privilege tree would be greatly beneficial.

[elasticmachine]

Original comment by @tvernum:

@kobelb I'll draft something about how I think you could model the privileges described in epixa's LINK REDACTED, and then we can flesh out the details.