-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SO Tagging] Avoid fetching tags when user doesn't have the permission #160754
Comments
Pinging @elastic/appex-sharedux (Team:SharedUX) |
@pgayvallet I'm actually a fan of "option one": we should have a server and client-side check for if the person has access to tagging functionality. We'd want to hide the UX, prevent the request, and throw if the API endpoint is hit under those circumstances. Is there something I'm missing? |
I think the major problem here is that we don't have a way to perform such authz / capabilities check from the client-side (at least that I'm aware of, but @elastic/kibana-security would need to confirm). |
Do we consider |
@legrego IIRC, we did not do that at the time because the security team (Joe? Brandon?) discouraged us from doing so (but it's been a long time, I could remember wrong). But yes, I think we can consider tags to be a "platform feature", and granting |
I unfortunately can't remember either, and I very well may have been one of the voices in this conversation.
I don't think that this would pose any meaningful risk, but I'll ping the rest of @elastic/kibana-security for further input |
I can't think of any risk as well. For what it's worth, I tried to dig into the original discussion about the Tagging permission model, but couldn't find anything specific about this topic: #74571 (comment). |
If we move forward with this, the automated privilege grants are maintained within the kibana/x-pack/plugins/features/server/feature_registry.ts Lines 115 to 139 in 02a43a1
|
Any news about this issue ? |
@vadimkibana - are you planning on wrapping this up or can we re-assign to someone else for quick attention? |
At the moment, the SO tagging plugin fetches the tags at a fixed interval (15mins by default), for every users, as long as we're authenticated (meaning: not on anonymous pages).
However, to have
read
permission on thetag
type, a user must have access to at least one Kibana feature / application that uses tags (dashboard, visualization...) , or to thesavedObjectsManagement
feature.When trying to fetch tags for a user without such permission, an unauthorized error is thrown, and is visible both in the server logs, and in the request's response.
We should avoid such errors, either by:
Ihmo the second option would be the best one (as the third option would not get rid of the error in the logs, given it's thrown from a lower layer)
Technical pointers
pooling mechanism on the client side
kibana/x-pack/plugins/saved_objects_tagging/public/plugin.ts
Lines 71 to 84 in 3730dd0
the route
kibana/x-pack/plugins/saved_objects_tagging/server/routes/tags/get_all_tags.ts
Lines 11 to 18 in a02c00b
the service opening the PIT
kibana/x-pack/plugins/saved_objects_tagging/server/services/tags/tags_client.ts
Lines 51 to 55 in c6d4fb5
the error that surfaces when we fetch the tags on behalf of a user without the correct permissions
kibana/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/point_in_time_finder.ts
Lines 130 to 133 in 9408552
The text was updated successfully, but these errors were encountered: