Skip to content

Add support for deprecated roles#57209

Merged
legrego merged 14 commits intoelastic:masterfrom
legrego:security/support-deprecated-roles
Mar 3, 2020
Merged

Add support for deprecated roles#57209
legrego merged 14 commits intoelastic:masterfrom
legrego:security/support-deprecated-roles

Conversation

@legrego
Copy link
Copy Markdown
Member

@legrego legrego commented Feb 10, 2020
edited
Loading

Summary

Updates the User, Role, and Role Mappings management pages to warn about the use of deprecated roles.

Resolves #25722

Dashboard Only Mode Roles

Deprecates the advanced setting:
image

User Grid Page

image

Edit User Page

image

image

Role Grid Page

image

View Deprecated Role

image

Role Mappings Grid Page

image

Edit Role Mapping Page

image

@legrego legrego force-pushed the security/support-deprecated-roles branch from f32c39c to e5141b7 Compare February 10, 2020 20:02
@legrego legrego force-pushed the security/support-deprecated-roles branch from e5141b7 to 58a25fa Compare February 11, 2020 16:04
@legrego legrego mentioned this pull request Feb 11, 2020
Closed
4 tasks
@legrego legrego added Feature:Security/Authorization Platform Security - Authorization release_note:enhancement Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// v7.7.0 v8.0.0 labels Feb 12, 2020
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Feb 12, 2020

Pinging @elastic/kibana-security (Team:Security)

@legrego legrego marked this pull request as ready for review February 12, 2020 12:58
@legrego legrego requested review from a team as code owners February 12, 2020 12:58
legrego
legrego commented Feb 12, 2020
View reviewed changes
x-pack/plugins/security/common/model/role.ts
*/
export function isReadOnlyRole(role: Partial<Role>): boolean {
return isReservedRole(role) || (role._transform_error?.length ?? 0) > 0;
export function isRoleReadOnly(role: Partial<Role>): boolean {
Copy link
Copy Markdown
Member Author

@legrego legrego Feb 11, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note Just a rename to be more consistent with the other functions in this module

x-pack/plugins/security/public/account_management/account_management_page.tsx

interface Props {
authc: AuthenticationServiceSetup;
apiClient: PublicMethodsOf<UserAPIClient>;
Copy link
Copy Markdown
Member Author

@legrego legrego Feb 11, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: just a rename to make the client instance clearer, since this component now requires two API clients

src/core/public/doc_links/doc_links_service.ts
},
management: {
kibanaSearchSettings: `${ELASTIC_WEBSITE_URL}guide/en/kibana/${DOC_LINK_VERSION}/advanced-options.html#kibana-search-settings`,
dashboardSettings: `${ELASTIC_WEBSITE_URL}guide/en/kibana/${DOC_LINK_VERSION}/advanced-options.html#kibana-dashboard-settings`,
Copy link
Copy Markdown
Member Author

@legrego legrego Feb 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added to support the Deprecated badge for the xpackDashboardMode:roles Advanced Setting added in:

https://github.com/legrego/kibana/blob/58a25faaad88409fcda649dbb204c37d4b0a360b/x-pack/legacy/plugins/dashboard_mode/index.js#L36-L43

.../public/management/role_mappings/edit_role_mapping/mapping_info_panel/mapping_info_panel.tsx
defaultMessage="Enable mapping"
/>
}
label={i18n.translate(
Copy link
Copy Markdown
Member Author

@legrego legrego Feb 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note This just resolves an EUI warning where EuiSwitch's label must be a string when showLabel={false}.

pgayvallet
pgayvallet approved these changes Feb 12, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@pgayvallet pgayvallet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for platform changes

@legrego
Copy link
Copy Markdown
Member Author

legrego commented Feb 13, 2020

@elastic/kibana-security this is ready for review

@kobelb
Copy link
Copy Markdown
Contributor

kobelb commented Feb 14, 2020

ACK: reviewing

kobelb
kobelb reviewed Feb 14, 2020
View reviewed changes
lizozom
lizozom approved these changes Feb 16, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@lizozom lizozom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Snapshot changes.
LGTM

@legrego
Copy link
Copy Markdown
Member Author

legrego commented Feb 25, 2020

@elasticmachine merge upstream

@legrego legrego requested a review from kobelb February 25, 2020 20:00
@legrego
Copy link
Copy Markdown
Member Author

legrego commented Feb 27, 2020

@elasticmachine merge upstream

@legrego
Copy link
Copy Markdown
Member Author

legrego commented Feb 27, 2020

@elasticmachine merge upstream

@legrego
Copy link
Copy Markdown
Member Author

legrego commented Feb 28, 2020

@elasticmachine merge upstream

@legrego
Copy link
Copy Markdown
Member Author

legrego commented Feb 28, 2020

@kobelb this is ready for another pass. Flaky test result appears unrelated to any changes here.

@legrego legrego mentioned this pull request Mar 2, 2020
Closed
@gchaps
Copy link
Copy Markdown
Contributor

gchaps commented Mar 2, 2020

Here are some suggestions to tighten up the text a bit:

Tooltip
The kibana_user role is deprecated. Use kibana_admin instead.

Roles
This user is assigned a deprecated role. Please migrate to a supported role.

Feature privileges
This role is deprecated. Configure a custom role to grant access to the Dashboard feature.

Mapping
This mapping is assigned a deprecated role. Please migrate to a supported role.

@legrego
Copy link
Copy Markdown
Member Author

legrego commented Mar 3, 2020

Thanks @gchaps!

I'd like to make the copy for the "Tooltip" and "Feature privileges" suggestions match, as they're currently generated using a shared mechanism.

Would you be ok replacing

This role is deprecated. Configure a custom role to grant access to the Dashboard feature.

with

The kibana_dashboard_only_user role is deprecated. Configure a custom role to grant access to the Dashboard feature.
?

More generically, the message looks like this:

The {roleName} role is deprecated. {reason}.

Where {roleName} is the name of the deprecated role, and {reason} is the second half of the explanation, which is the part provided by Elasticsearch.

@legrego
Merge branch 'security/support-deprecated-roles' of github.com:legreg…
5b96cb9 
…o/kibana into security/support-deprecated-roles
@gchaps
Copy link
Copy Markdown
Contributor

gchaps commented Mar 3, 2020

@legrego good idea to make the text match. I edited the tooltip to match our marketing guidelines--we prefer to use Dashboard without "feature" or "app". Also, it makes the text shorter.

The kibana_dashboard_only_user role is deprecated. Configure a custom role to grant access to Dashboard.

@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Mar 3, 2020

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@legrego legrego merged commit 74030c9 into elastic:master Mar 3, 2020
@legrego legrego deleted the security/support-deprecated-roles branch March 3, 2020 18:23
@legrego legrego mentioned this pull request Mar 3, 2020
Merged
legrego added a commit to legrego/kibana that referenced this pull request Mar 3, 2020
@legrego @elasticmachine
Add support for deprecated roles (elastic#57209)
732533d 
* Add support for deprecated roles

* address PR feedback

* remove unused import

* copy edits

* fix snapshots

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
@legrego legrego mentioned this pull request Mar 3, 2020
Closed
@legrego
Copy link
Copy Markdown
Member Author

legrego commented Mar 3, 2020

Opened corresponding Elasticsearch PR to update deprecation reasons: elastic/elasticsearch#53074

legrego added a commit that referenced this pull request Mar 3, 2020
@legrego @elasticmachine
Add support for deprecated roles (#57209) (#59197)
4e624b2 
* Add support for deprecated roles

* address PR feedback

* remove unused import

* copy edits

* fix snapshots

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
@lcawl lcawl mentioned this pull request Jun 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kobelb kobelb kobelb approved these changes

@pgayvallet pgayvallet pgayvallet approved these changes

+2 more reviewers

@lizozom lizozom lizozom approved these changes

@mshustov mshustov mshustov approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Feature:Security/Authorization Platform Security - Authorization release_note:enhancement Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// v7.7.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Introduce kibana_admin role, deprecate kibana_user and kibana_dashboard_only_userroles

8 participants

@legrego @elasticmachine @kobelb @gchaps @kibanamachine @pgayvallet @lizozom @mshustov