Expose AnonymousAccess service through Security OSS plugin.

[azasypkin]

In this PR I'm introducing a new Anonymous Access domain that spans both authentication and authorization pieces and will serve as a base for any future improvements related to the anonymous access.

There are four main changes in this PR:

• X-Pack Security plugin creates a new AnonymousAccessService that can figure out if anonymous service account can successfully authenticate and what capabilities it has. It's registered with Security OSS plugin.
• Security OSS plugin exposes /internal/security_oss/anonymous_access/capabilities Spaces aware endpoint that can be used to check what capabilities are available to anonymous service account using the registered AnonymousAccessService.
• Security OSS plugin exposes the following anonymous access related functionality in its start contract:

anonymousAccess: {
  getAccessURLParameters: () => Promise<Record<string, string> | null>;
  getCapabilities: () => Promise<Capabilities>;
};

• Security OSS plugin now hits /internal/security_oss/app_state endpoint in start to fetch the application state.

Prerequisite for: #86965 and #83650

[azasypkin]

note: My understanding and main assumption is that using endpoints and capabilities exposed by the X-Pack counterpart in the OSS version of the plugin is acceptable as long as it works fine with OSS distribution. What do you think?

[legrego]

I think capabilities are more OK than endpoints, but I don't know if we've codified this anywhere.

I don't love the idea of using x-pack endpoints in OSS, because that could lead to 404 errors, which is sloppy. I see you've guarded against that here, but I worry about the precedent this sets.

For the insecure cluster warning, we defined the endpoint in OSS and allowed x-pack security to augment the logic. This allows the endpoint to work in all distributions, while still allowing for distribution-specific behavior.

[azasypkin]

I don't love the idea of using x-pack endpoints in OSS, because that could lead to 404 errors, which is sloppy. I see you've guarded against that here, but I worry about the precedent this sets.

For the insecure cluster warning, we defined the endpoint in OSS and allowed x-pack security to augment the logic. This allows the endpoint to work in all distributions, while still allowing for distribution-specific behavior.

Yeah, from the technical side I agree with your sentiment. It just feels to me that we're building all these abstractions only to pretend that there is no explicit dependency between OSS and X-Pack plugin parts when in reality the only purpose of the the X-Pack_Something_OSS plugins is to support their main plugins across distributions while being useless on its own. The insecure cluster warning is just a great exception that does its job even without X-Pack part though.

Let me see if I can find a better way to preserve a status quo here 😛

[azasypkin]

question: do we have any better option to do what I do right now?

[legrego]

Not really 🙁. Core support for something better is being discussed in #39430, but for the time being this is the generally accepted short-term solution.

[azasypkin]

Got it, thanks for confirming!

[azasypkin]

note: finally making our setup sync.

[azasypkin]

note: I was hesitating about this one since it has nothing to do with the feature controls (FC) and UI capabilities are mainly used with FC right now. But if I understand the idea behind Core's/OSS UI capabilities then it's not necessarily related to the FC or Security in general, so I thought that anonymous access can be treated as a capability that may affect the way we render UI.

Am I just looking for excuse or you think it's a valid use case for UI capabilities as well? The main motivator is to avoid unnecessary call to the Kibana server on every page refresh just to know that anonymous access isn't enabled (yeah, I'm missing good old injected vars 🙈 )

[azasypkin]

@legrego would you mind giving a preliminary feedback (tests are not ready yet) on the approach I picked in this PR, whenever you have time? I left a couple of questions for you.

Thanks!

[legrego]

Here are my preliminary thoughts - happy to discuss further! Thanks for putting this together ❤️

[legrego]

I'm also hesitant about this. UI Capabilities were designed to support FC, but that doesn't mean they can't be used for other purposes. That said, I'm not convinced this is the right tool for the job.

The main motivator is to avoid unnecessary call to the Kibana server on every page refresh just to know that anonymous access isn't enabled (yeah, I'm missing good old injected vars 🙈 )

I miss injected vars too! If the network call is the primary motivation, then perhaps we can tweak the security_oss plugin a bit. The OSS plugin makes a call to determine if the "insecure cluster warning" should be shown.

If we wanted to, we could introduce an /internal/security/setup (or similar) call, which can return information for both the "insecure cluster warning" and the state of anonymous access. That would keep the number of network calls the same as it is today, without changing the way that UI Capabilities are used. What do you think?

[azasypkin]

If we wanted to, we could introduce an /internal/security/setup (or similar) call, which can return information for both the "insecure cluster warning" and the state of anonymous access. That would keep the number of network calls the same as it is today, without changing the way that UI Capabilities are used. What do you think?

Yeah, I like that! I'll try to do that.

[legrego]

Not really 🙁. Core support for something better is being discussed in #39430, but for the time being this is the generally accepted short-term solution.

[legrego]

nit: While I'm generally a fan of logging all the things, these might be unnecessary. The return value here (which currently translates to the API route return value) isn't really transformed or fed into another server-side process.

[azasypkin]

Was mostly using it to distinguish canAccess: false for the case when user cannot access something and when anonymous is not enabled. But yeah, it makes more sense to log it in the route instead (or wherever this API is used) 👍

[legrego]

question is there harm in supplying the access url parameters if anonymous is the default provider? If an administrator changes the auth provider config, then they'd potentially invalidate any previously generated URLs if the anonymous provider suddenly isn't the default anymore.

[azasypkin]

question is there harm in supplying the access url parameters if anonymous is the default provider?

Well, the base assumption here (we'll need to verify) that anonymous access will be the only one or default one in the majority of the setups. And the idea is that Share plugin shouldn't show Public URL option during sharing/embedding if there is nothing special to be added to the URL that would make UI less loaded and confusing.

If an administrator changes the auth provider config, then they'd potentially invalidate any previously generated URLs if the anonymous provider suddenly isn't the default anymore.

Actually it feels reasonable to me to show login selector if the URL was shared without Public URL (was hidden when anonymous was default, so user didn't indicate that this URL should use anonymous access specifically) in case anonymous becomes non-default.

Do you see any issues here?

[legrego]

Well, the base assumption here (we'll need to verify) that anonymous access will be the only one or default one in the majority of the setups. And the idea is that Share plugin shouldn't show Public URL option during sharing/embedding if there is nothing special to be added to the URL that would make UI less loaded and confusing.

I'd personally be surprised if anonymous access was commonly the only provider, but I take your point here.

Actually it feels reasonable to me to show login selector if the URL was shared without Public URL (was hidden when anonymous was default, so user didn't indicate that this URL should use anonymous access specifically) in case anonymous becomes non-default.

I'm torn on this. From a security perspective, it makes sense to fail closed if the auth config changes in a way that alters the default provider. On the other hand, the administrator has to take explicit action to make the anonymous provider the default/only provider, so you could argue that generating these share links is intentionally making them available anonymously.

Let's keep it the way you have it for now. This is something we can easily change if we decide to take a different approach

[legrego]

❤️

[legrego]

nit: warn might be a better severity here.

[legrego]

I think capabilities are more OK than endpoints, but I don't know if we've codified this anywhere.

I don't love the idea of using x-pack endpoints in OSS, because that could lead to 404 errors, which is sloppy. I see you've guarded against that here, but I worry about the precedent this sets.

For the insecure cluster warning, we defined the endpoint in OSS and allowed x-pack security to augment the logic. This allows the endpoint to work in all distributions, while still allowing for distribution-specific behavior.

[azasypkin]

note: couldn't find a better name for that service, data and endpoint, kind of analogy with ASP.NET view state, but happy to take any other name if you have suggestions.

[legrego]

I'm fine with AppState here. That makes sense to me

[azasypkin]

Thanks for the feedback @legrego ! I took a stub at implementing changes we discussed yesterday, turned out a bit more complex than I expected, but it seems to do the job. Would you mind taking a look whenever you have time and let me know if it corresponds to what you had in mind?

[azasypkin]

note: We can keep this check here if you wish, but we have it in the AppState service now and the overhead we'll get here should be negligible in theory (unnecessary Observable subscription in initializeAlert)

[azasypkin]

note: I'll discuss the final API shape with AppArch, but I don't expect it to change too much. It feels the best option would be to give Share plugin consumers entire capabilities object so that they can the check on their own.

[legrego]

I agree, I don't see a need to filter out the capabilities object on our side.

[azasypkin]

note: kind of clumsy, but I cannot think of a better approach to pass service that is only available at start.

[legrego]

Agreed. It's at least consistent with the way we've done this elsewhere 🤷‍♂️

[legrego]

Thanks for the edits! The high-level approach here looks good to me, and I think this will work really well for the sharing use case

[legrego]

🏅 thanks for falling back with .catch()

[legrego]

We recently introduced the concept of "default capabilities" into core, so I think we should instead use that mechanism here. This will allow us to return the full set of UI capabilities, so consumers won't have to worry as much about undefined properties on the capabilities object.

We'll need to update the resolveCapabilities signature to allow for an optional useDefaultCapabilities boolean, which we can pass through to the underlying function which currently defaults to false.

So the call here would instead look something like:

Suggested change

	return DEFAULT_CAPABILITIES;
	return capabilities.resolveCapabilities(fakeRequest, true);

[azasypkin]

Oh, interesting, didn't know that. It sounds like a way to go then, but it can be a bit tricky for the case when anonymous service account isn't properly configured and we'll get 401. If I understand everything correctly we have 3 different cases here:

• Anonymous access is not enabled:

const fakeAnonymousRequest = KibanaRequest.from({ auth: { isAuthenticated: false } });
const caps = await capabilities.resolveCapabilities(fakeAnonymousRequest, { useDefaultCaps: true });

• Anonymous access is enabled and properly configured:

const fakeAnonymousRequest = KibanaRequest.from({ auth: { isAuthenticated: true } });
const caps = await capabilities.resolveCapabilities(fakeAnonymousRequest);

• Anonymous access is enabled but misconfigured (we don't know that in advance):

const fakeAnonymousRequest = KibanaRequest.from({ auth: { isAuthenticated: true } });
const caps = await capabilities.resolveCapabilities(fakeAnonymousRequest);

// if we get 401 then we'll try again this:

const fakeAnonymousRequest = KibanaRequest.from({ auth: { isAuthenticated: false } });
const caps = await capabilities.resolveCapabilities(fakeAnonymousRequest, { useDefaultCaps: true });

For the last case we could also make an additional "pre-flight" request to _authenticate and depending on the result switch useDefaultCaps and isAuthenticated on or off. It may be more correct solution, but I'm not sure if it makes sense to optimize for the case that should be very rare at the cost of an additional request for all cases.

What do you think? I'll go ahead without pre-flight request to _authenticate for now, but can quickly adjust.

[legrego]

I think you summarized the scenarios correctly here. For the misconfigured case, I don't have a strong opinion either way - _authenticate does feel more correct, so I'm +1 as long as it's not too difficult to implement.

[legrego]

It looks like this route is always expecting the anonymous access service to be defined, but since it's only registered by x-pack security (as far as I can see), I think this will throw an exception for the OSS distribution whenever its called.

[azasypkin]

Yeah, it will, and user will get 500 error. Would you like it to have some default 200 behavior (then we'll have to have default capabilities in two places or return null/empty object) or just more appropriate error code (e.g. 501 Not Implemented or 403 Forbidden)?

[legrego]

I like 501 Not Implemented for this case. I assume that this endpoint won't normally be called if anonymous access is disabled (and by extension, when called in the OSS distribution)? In other words, we'll have enough information client-side so that we know not to even attempt the call

[azasypkin]

I assume that this endpoint won't normally be called if anonymous access is disabled (and by extension, when called in the OSS distribution)?

Correct, there shouldn't be any case when Kibana would call it with disabled anonymous access.

[legrego]

Agreed. It's at least consistent with the way we've done this elsewhere 🤷‍♂️

[legrego]

I'm fine with AppState here. That makes sense to me

[legrego]

I agree, I don't see a need to filter out the capabilities object on our side.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[pgayvallet]

LGTM for core changes

[pgayvallet]

NIT: imho options?.useDefaultCapabilities ?? false is slightly more explicit.

[azasypkin]

Yep, agree. I'll change, thanks!

[legrego]

@elasticmachine merge upstream

[legrego]

I'll try to finish reviewing this tomorrow 👍

[legrego]

LGTM with some optional nits - tested locally, and all seems to be working great!

[legrego]

optional nit: unnecessary await

[azasypkin]

I think there was a verbal agreement in a Platform team long ago to do this since we don't define return type explicitly here and it's not always obvious that function returns Promise. I couldn't find it recorded anywhere, so will remove it.

[legrego]

optional nit: similar to #87091 (comment):

Suggested change

	isEnabled: !!anonymousAccessService?.isAnonymousAccessEnabled,
	isEnabled: anonymousAccessService?.isAnonymousAccessEnabled ?? false,

[azasypkin]

Thanks, I need to get used to this better/more readable alternative!

[legrego]

nit: the comment about "specified Saved Object type" isn't relevant anymore, now that we're performing a capabilities check instead of an explicit Saved Object Type check

[legrego]

Thanks for the comment here 👍

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 35d89ad

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securityOss	8	10	+2

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
securityOss	11.6KB	13.1KB	+1.5KB

History

• 💚 Build #98713 succeeded db91b20
• 💚 Build #98215 succeeded ea31566
• 💚 Build #97868 succeeded e877c5b
• 💚 Build #97687 succeeded bc7f9b1
• 💚 Build #97671 succeeded 2277675

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[azasypkin]

7.x/7.12.0: 93db245