Skip to content

Feature Controls - Prevent API tag collisions #35881

Closed as not planned
Closed as not planned
Feature Controls - Prevent API tag collisions#35881
Labels
Feature:Security/Feature ControlsPlatform Security - Spaces & Role Mgmt feature controlsTeam:SecurityPlatform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t//
@legrego

Description

@legrego
legrego
opened on May 1, 2019

See #35841 (comment) for context.

Currently, it's possible for two features to register the same tag for securing access to API endpoints. This can lead to collisions which could cause a user to have access to API endpoints they shouldn't have access to.

Example:

//Feature 1
xpackMain.registerFeature({
   id: 'feature1',
   privileges: {
      all: { api: ['foo'] }
   }
   ...,
});

// Feature 2
xpackMain.registerFeature({
   id: 'feature2',
   privileges: {
      all: { api: ['foo'] }
   }
   ...,
});

With this configuration, a user with access to only Feature 1 would have the ability to execute Feature 2's API endpoints (and vice versa).

With the NP initiative, we should explore alternate approaches to securing endpoints in a way that does not lead to collisions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Feature:Security/Feature ControlsPlatform Security - Spaces & Role Mgmt feature controlsTeam:SecurityPlatform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t//

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions