Skip to content

Fix privileges check when security is not enabled#67308

Merged
jloleysens merged 1 commit intoelastic:masterfrom
jloleysens:fix/privileges-check-with-sec-not-enabled
May 26, 2020
Merged

Fix privileges check when security is not enabled#67308
jloleysens merged 1 commit intoelastic:masterfrom
jloleysens:fix/privileges-check-with-sec-not-enabled

Conversation

@jloleysens
Copy link
Copy Markdown
Contributor

@jloleysens jloleysens commented May 26, 2020
edited
Loading

Summary

Fix #66980

How to test

To reproduce in dev setup:

  1. Start ES with elasticsearch.yml config containing only what is in the config shipped with docker (https://github.com/elastic/elasticsearch/blob/master/distribution/docker/src/docker/config/elasticsearch.yml). I also removed the network.host: 0.0.0.0 setting.
  2. Start ES with xpack.security.enabled: boolean not in your kibana.dev.yml.
  3. Navigate to Snapshot and Restore and see reported error per issue

Notes to reviewer

  • Hitting GET _security/user/_privileges throws an internal server error from ES Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node.

  • The issue here was that we were only checking for the existence of the security plugin and not whether it was enabled too - a case that can happen given the default docker distribution config.

  • Returning res.internalError(e) does not display the actual error message as res.internalError({ body: e }) does. In the former case the UI only has the message "Internal Server Error".

  • Did a scan over our other plugins and it looks like it was only Ingest Pipelines and Snapshot & Restore that had this issue. Please flag any other cases that might have the same issue.

Release Note

We fixed an integration issue with the security plugin in Ingest Pipelines and Snapshot and Restore that would incorrectly report requiring security to be enabled when the plugins should work normally without security. This affects the default docker distribution.

@jloleysens jloleysens added release_note:fix v8.0.0 Team:Kibana Management Dev Tools, Index Management, Upgrade Assistant, ILM, Ingest Node Pipelines, and more t// Feature:Snapshot and Restore Elasticsearch snapshots and repositories UI v7.8.0 v7.6.3 v7.7.1 Feature:Ingest Node Pipelines Ingest node pipelines management v7.8.1 labels May 26, 2020
@jloleysens jloleysens requested a review from a team as a code owner May 26, 2020 09:13
sebelga
sebelga approved these changes May 26, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@sebelga sebelga left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM! I haven't tested locally.

The issue here was that we were only checking for the existence of the security plugin and not whether it was enabled too

I'm confused. I remember asking the core team and they told me that if a plugin is present it means that it is enabled. How can a plugin not be enabled and be present? 😊

@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented May 26, 2020

💚 Build Succeeded

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@jloleysens
Copy link
Copy Markdown
Contributor Author

jloleysens commented May 26, 2020

@sebelga Thanks for the review!

Yeah, perhaps worth flagging this case more broadly.

@jloleysens jloleysens merged commit c508140 into elastic:master May 26, 2020
@jloleysens jloleysens deleted the fix/privileges-check-with-sec-not-enabled branch May 26, 2020 11:41
@jloleysens jloleysens mentioned this pull request May 26, 2020
Merged
jloleysens added a commit to jloleysens/kibana that referenced this pull request May 26, 2020
@jloleysens
Fix privileges check when security is not enabled (elastic#67308)
c55f2ca
@jloleysens jloleysens mentioned this pull request May 26, 2020
Merged
jloleysens added a commit to jloleysens/kibana that referenced this pull request May 26, 2020
@jloleysens
Fix privileges check when security is not enabled (elastic#67308)
fedf3e9
jloleysens added a commit to jloleysens/kibana that referenced this pull request May 26, 2020
@jloleysens
Fix privileges check when security is not enabled (elastic#67308)
497e71f 
# Conflicts:
#	x-pack/plugins/ingest_pipelines/kibana.json
#	x-pack/plugins/ingest_pipelines/server/plugin.ts
#	x-pack/plugins/ingest_pipelines/server/routes/api/privileges.ts
#	x-pack/plugins/ingest_pipelines/server/types.ts
@jloleysens jloleysens mentioned this pull request May 26, 2020
Merged
@jloleysens jloleysens removed the v7.6.3 label May 26, 2020
jloleysens added a commit that referenced this pull request May 26, 2020
@jloleysens
Merge branch 'master' of github.com:elastic/kibana into feature/pipel…
f06f9e4 
…ine-editor

* 'master' of github.com:elastic/kibana: (129 commits)
  [Canvas] Force embeddables to refresh when renderable reevaluated (#67133)
  [Canvas] Better handling navigating to/from canvas (#66407)
  [Ingest pipelines] Fix schema validation for simulate and update routes (#67199)
  do not use es from setup (#67277)
  Auto expand replicas for event log (#67286)
  Observability & APM do not use elasticsearch client provided via setup contract  (#67263)
  Fix privileges check when security is not enabled (#67308)
  add IIS home (#66918)
  [ML] Adding additional job service endpoint tests (#66892)
  [Ingest Manager] Update fleet internal doc with latest flags (#67193)
  [Discover] Deangularize the loading spinner (#67165)
  Add `application.navigateToUrl` core API (#67110)
  Improve indexpattern without timefield functional test (#67031)
  KibanaContext in index pattern managment ui (#66985)
  Fix Azure metrics tutorial inside the App Home/ Add data area (#66901)
  add azure logs home (#66910)
  fix: rum agent should work correctly on new platform (#67037)
  [test_utils/Testbed] Move to src/test_utils folder (OSS) (#66898)
  only block registration when appRoute contains the exact basePath (#67125)
  Changed actions API endpoints urls to follow Kibana STYLEGUIDE (#65936)
  ...

# Conflicts:
#	x-pack/plugins/ingest_pipelines/public/application/components/pipeline_form/pipeline_form_fields.tsx
jloleysens added a commit that referenced this pull request May 26, 2020
@jloleysens
Fix privileges check when security is not enabled (#67308) (#67315)
c0fcd81
jloleysens added a commit that referenced this pull request May 26, 2020
@jloleysens
Fix privileges check when security is not enabled (#67308) (#67316)
4a7bdf7
jloleysens added a commit that referenced this pull request May 26, 2020
@jloleysens
[7.7] Fix privileges check when security is not enabled (#67308) (#67317
3d41fc3 
)

* Fix privileges check when security is not enabled (#67308)

# Conflicts:
#	x-pack/plugins/ingest_pipelines/kibana.json
#	x-pack/plugins/ingest_pipelines/server/plugin.ts
#	x-pack/plugins/ingest_pipelines/server/routes/api/privileges.ts
#	x-pack/plugins/ingest_pipelines/server/types.ts

* Use legacy compat security
@jloleysens jloleysens mentioned this pull request May 26, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alisonelizabeth alisonelizabeth Awaiting requested review from alisonelizabeth

1 more reviewer

@sebelga sebelga sebelga approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Feature:Ingest Node Pipelines Ingest node pipelines management Feature:Snapshot and Restore Elasticsearch snapshots and repositories UI release_note:fix Team:Kibana Management Dev Tools, Index Management, Upgrade Assistant, ILM, Ingest Node Pipelines, and more t// v7.7.1 v7.8.0 v7.8.1 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7.7.0 Snapshot/restore privilege error without security

3 participants

@jloleysens @kibanamachine @sebelga