-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Register kibana_dashboard_only_user and kibana_user roles deprecations in UA.
#110960
Merged
azasypkin
merged 13 commits into
elastic:7.x
from
azasypkin:issue-xxx-role-deprecations
Oct 18, 2021
Merged
Changes from 1 commit
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
19267a9
Register `kibana_dashboard_only_user` and `kibana_user` roles depreca…
azasypkin 9196893
Merge branch '7.x' into issue-xxx-role-deprecations
azasypkin 0c4ecd0
Review#1: improve deprecation messages.
azasypkin f0e3b24
Sync i18n labels with the same IDs.
azasypkin afb31ce
Merge branch '7.x' into issue-xxx-role-deprecations
azasypkin 7d9b3e5
Update test snapshots.
azasypkin 98f000a
Remove `in favor of` as suggested in the guidelines.
azasypkin 2c57ba7
Merge branch '7.x' into issue-xxx-role-deprecations
azasypkin 921aff2
Improve deprecation messages and use more appropriate documentation l…
azasypkin f4026be
Penalty for not being attentive enough.
azasypkin e88267b
Merge branch '7.x' into issue-xxx-role-deprecations
azasypkin 7fd0a88
Review#3: improve deprecation messages.
azasypkin 88fa862
Merge branch '7.x' into issue-xxx-role-deprecations
kibanamachine File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| /* | ||
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| * or more contributor license agreements. Licensed under the Elastic License | ||
| * 2.0; you may not use this file except in compliance with the Elastic License | ||
| * 2.0. | ||
| */ | ||
|
|
||
| export { | ||
| registerKibanaDashboardOnlyRoleDeprecation, | ||
| KIBANA_DASHBOARD_ONLY_USER_ROLE_NAME, | ||
| } from './kibana_dashboard_only_role'; | ||
| export { | ||
| registerKibanaUserRoleDeprecation, | ||
| KIBANA_ADMIN_ROLE_NAME, | ||
| KIBANA_USER_ROLE_NAME, | ||
| } from './kibana_user_role'; |
322 changes: 322 additions & 0 deletions
322
x-pack/plugins/security/server/deprecations/kibana_dashboard_only_role.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,322 @@ | ||
| /* | ||
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| * or more contributor license agreements. Licensed under the Elastic License | ||
| * 2.0; you may not use this file except in compliance with the Elastic License | ||
| * 2.0. | ||
| */ | ||
|
|
||
| import { errors } from '@elastic/elasticsearch'; | ||
| import type { SecurityRoleMapping, SecurityUser } from '@elastic/elasticsearch/api/types'; | ||
|
|
||
| import type { PackageInfo, RegisterDeprecationsConfig } from 'src/core/server'; | ||
| import { | ||
| deprecationsServiceMock, | ||
| elasticsearchServiceMock, | ||
| loggingSystemMock, | ||
| savedObjectsClientMock, | ||
| } from 'src/core/server/mocks'; | ||
|
|
||
| import { licenseMock } from '../../common/licensing/index.mock'; | ||
| import { securityMock } from '../mocks'; | ||
| import { registerKibanaDashboardOnlyRoleDeprecation } from './kibana_dashboard_only_role'; | ||
|
|
||
| function getDepsMock() { | ||
| return { | ||
| logger: loggingSystemMock.createLogger(), | ||
| deprecationsService: deprecationsServiceMock.createSetupContract(), | ||
| license: licenseMock.create(), | ||
| packageInfo: { | ||
| branch: 'some-branch', | ||
| buildSha: 'sha', | ||
| dist: true, | ||
| version: '8.0.0', | ||
| buildNum: 1, | ||
| } as PackageInfo, | ||
| }; | ||
| } | ||
|
|
||
| function getContextMock() { | ||
| return { | ||
| esClient: elasticsearchServiceMock.createScopedClusterClient(), | ||
| savedObjectsClient: savedObjectsClientMock.create(), | ||
| }; | ||
| } | ||
|
|
||
| function createMockUser(user: Partial<SecurityUser> = {}) { | ||
| return { enabled: true, username: 'userA', roles: ['roleA'], metadata: {}, ...user }; | ||
| } | ||
|
|
||
| function createMockRoleMapping(mapping: Partial<SecurityRoleMapping> = {}) { | ||
| return { enabled: true, roles: ['roleA'], rules: {}, metadata: {}, ...mapping }; | ||
| } | ||
|
|
||
| describe('Kibana Dashboard Only User role deprecations', () => { | ||
| let mockDeps: ReturnType<typeof getDepsMock>; | ||
| let mockContext: ReturnType<typeof getContextMock>; | ||
| let deprecationHandler: RegisterDeprecationsConfig; | ||
| beforeEach(() => { | ||
| mockContext = getContextMock(); | ||
| mockDeps = getDepsMock(); | ||
| registerKibanaDashboardOnlyRoleDeprecation(mockDeps); | ||
|
|
||
| expect(mockDeps.deprecationsService.registerDeprecations).toHaveBeenCalledTimes(1); | ||
| deprecationHandler = mockDeps.deprecationsService.registerDeprecations.mock.calls[0][0]; | ||
| }); | ||
|
|
||
| it('does not return any deprecations if security is not enabled', async () => { | ||
| mockDeps.license.isEnabled.mockReturnValue(false); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toEqual([]); | ||
| expect(mockContext.esClient.asCurrentUser.security.getUser).not.toHaveBeenCalled(); | ||
| expect(mockContext.esClient.asCurrentUser.security.getRoleMapping).not.toHaveBeenCalled(); | ||
| }); | ||
|
|
||
| it('does not return any deprecations if none of the users and role mappings has a dashboard only role', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { userA: createMockUser() } }) | ||
| ); | ||
|
|
||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockResolvedValue( | ||
| securityMock.createApiResponse({ | ||
| body: { | ||
| mappingA: { enabled: true, roles: ['roleA'], rules: {}, metadata: {} }, | ||
| }, | ||
| }) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toEqual([]); | ||
| }); | ||
|
|
||
| it('returns deprecations even if cannot retrieve users due to permission error', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockRejectedValue( | ||
| new errors.ResponseError(securityMock.createApiResponse({ statusCode: 403, body: {} })) | ||
| ); | ||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { mappingA: createMockRoleMapping() } }) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Make sure you have a \\"manage_security\\" cluster privilege assigned.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "documentationUrl": "https://www.elastic.co/guide/en/kibana/some-branch/xpack-security.html#_required_permissions_7", | ||
| "level": "fetch_error", | ||
| "message": "You do not have enough permissions to fix this deprecation.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is removed", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
|
|
||
| it('returns deprecations even if cannot retrieve users due to unknown error', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockRejectedValue( | ||
| new errors.ResponseError(securityMock.createApiResponse({ statusCode: 500, body: {} })) | ||
| ); | ||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { mappingA: createMockRoleMapping() } }) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Check Kibana logs for more details.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "level": "fetch_error", | ||
| "message": "Failed to perform deprecation check. Check Kibana logs for more details.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is removed", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
|
|
||
| it('returns deprecations even if cannot retrieve role mappings due to permission error', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { userA: createMockUser() } }) | ||
| ); | ||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockRejectedValue( | ||
| new errors.ResponseError(securityMock.createApiResponse({ statusCode: 403, body: {} })) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Make sure you have a \\"manage_security\\" cluster privilege assigned.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "documentationUrl": "https://www.elastic.co/guide/en/kibana/some-branch/xpack-security.html#_required_permissions_7", | ||
| "level": "fetch_error", | ||
| "message": "You do not have enough permissions to fix this deprecation.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is removed", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
|
|
||
| it('returns deprecations even if cannot retrieve role mappings due to unknown error', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { userA: createMockUser() } }) | ||
| ); | ||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockRejectedValue( | ||
| new errors.ResponseError(securityMock.createApiResponse({ statusCode: 500, body: {} })) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Check Kibana logs for more details.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "level": "fetch_error", | ||
| "message": "Failed to perform deprecation check. Check Kibana logs for more details.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is removed", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
|
|
||
| it('returns only user-related deprecations', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockResolvedValue( | ||
| securityMock.createApiResponse({ | ||
| body: { | ||
| userA: createMockUser({ username: 'userA', roles: ['roleA'] }), | ||
| userB: createMockUser({ | ||
| username: 'userB', | ||
| roles: ['roleB', 'kibana_dashboard_only_user'], | ||
| }), | ||
| userC: createMockUser({ username: 'userC', roles: ['roleC'] }), | ||
| userD: createMockUser({ username: 'userD', roles: ['kibana_dashboard_only_user'] }), | ||
| }, | ||
| }) | ||
| ); | ||
|
|
||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { mappingA: createMockRoleMapping() } }) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Create a custom role with Kibana privileges to restrict access to just the Dashboard feature.", | ||
| "Update all users with \\"kibana_dashboard_only_user\\" role to use the custom role instead.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "documentationUrl": "https://www.elastic.co/guide/en/kibana/some-branch/kibana-privileges.html", | ||
| "level": "warning", | ||
| "message": "The following users have a deprecated and removed \\"kibana_dashboard_only_user\\" role: userB, userD. Create a custom role with Kibana privileges to restrict access to just the Dashboard feature instead.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is removed", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
|
|
||
| it('returns only role-mapping-related deprecations', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockResolvedValue( | ||
| securityMock.createApiResponse({ body: { userA: createMockUser() } }) | ||
| ); | ||
|
|
||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockResolvedValue( | ||
| securityMock.createApiResponse({ | ||
| body: { | ||
| mappingA: createMockRoleMapping({ roles: ['roleA'] }), | ||
| mappingB: createMockRoleMapping({ roles: ['roleB', 'kibana_dashboard_only_user'] }), | ||
| mappingC: createMockRoleMapping({ roles: ['roleC'] }), | ||
| mappingD: createMockRoleMapping({ roles: ['kibana_dashboard_only_user'] }), | ||
| }, | ||
| }) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Create a custom role with Kibana privileges to restrict access to just the Dashboard feature.", | ||
| "Update all role mappings that map to \\"kibana_dashboard_only_user\\" role to use the custom role instead.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "documentationUrl": "https://www.elastic.co/guide/en/kibana/some-branch/kibana-privileges.html", | ||
| "level": "warning", | ||
| "message": "The following role mappings map to a deprecated and removed \\"kibana_dashboard_only_user\\" role: mappingB, mappingD. Create a custom role with Kibana privileges to restrict access to just the Dashboard feature instead.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is removed", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
|
|
||
| it('returns both user-related and role-mapping-related deprecations', async () => { | ||
| mockContext.esClient.asCurrentUser.security.getUser.mockResolvedValue( | ||
| securityMock.createApiResponse({ | ||
| body: { | ||
| userA: createMockUser({ username: 'userA', roles: ['roleA'] }), | ||
| userB: createMockUser({ | ||
| username: 'userB', | ||
| roles: ['roleB', 'kibana_dashboard_only_user'], | ||
| }), | ||
| userC: createMockUser({ username: 'userC', roles: ['roleC'] }), | ||
| userD: createMockUser({ username: 'userD', roles: ['kibana_dashboard_only_user'] }), | ||
| }, | ||
| }) | ||
| ); | ||
|
|
||
| mockContext.esClient.asCurrentUser.security.getRoleMapping.mockResolvedValue( | ||
| securityMock.createApiResponse({ | ||
| body: { | ||
| mappingA: createMockRoleMapping({ roles: ['roleA'] }), | ||
| mappingB: createMockRoleMapping({ roles: ['roleB', 'kibana_dashboard_only_user'] }), | ||
| mappingC: createMockRoleMapping({ roles: ['roleC'] }), | ||
| mappingD: createMockRoleMapping({ roles: ['kibana_dashboard_only_user'] }), | ||
| }, | ||
| }) | ||
| ); | ||
|
|
||
| await expect(deprecationHandler.getDeprecations(mockContext)).resolves.toMatchInlineSnapshot(` | ||
| Array [ | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Create a custom role with Kibana privileges to restrict access to just the Dashboard feature.", | ||
| "Update all users with \\"kibana_dashboard_only_user\\" role to use the custom role instead.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "documentationUrl": "https://www.elastic.co/guide/en/kibana/some-branch/kibana-privileges.html", | ||
| "level": "warning", | ||
| "message": "The following users have a deprecated and removed \\"kibana_dashboard_only_user\\" role: userB, userD. Create a custom role with Kibana privileges to restrict access to just the Dashboard feature instead.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is removed", | ||
| }, | ||
| Object { | ||
| "correctiveActions": Object { | ||
| "manualSteps": Array [ | ||
| "Create a custom role with Kibana privileges to restrict access to just the Dashboard feature.", | ||
| "Update all role mappings that map to \\"kibana_dashboard_only_user\\" role to use the custom role instead.", | ||
| ], | ||
| }, | ||
| "deprecationType": "feature", | ||
| "documentationUrl": "https://www.elastic.co/guide/en/kibana/some-branch/kibana-privileges.html", | ||
| "level": "warning", | ||
| "message": "The following role mappings map to a deprecated and removed \\"kibana_dashboard_only_user\\" role: mappingB, mappingD. Create a custom role with Kibana privileges to restrict access to just the Dashboard feature instead.", | ||
| "title": "The \\"kibana_dashboard_only_user\\" role is removed", | ||
| }, | ||
| ] | ||
| `); | ||
| }); | ||
| }); | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️ I was worried that an error would prevent UA from surfacing the other deprecations, but this test assuages that concern.