Limiting privileges for objects such as application privileges #31559
Comments
jaymode
added
:Security/Authorization
|
Pinging @elastic/es-security |
|
We discussed this briefly in our team meeting. No one really had opinions on the way to go, so I asked @tvernum to start with trying the format where application privileges is a top level item within roles. {
"application": {
"manage_privileges": {
"applications": [ "kibana" ]
}
}
} |
|
I just got this digested. I also favor the last option which @jaymode suggested we turn into a POC. IMO the other syntax options are confusing outside the role mapping API. There are a few things that I have found difficult to grasp fully, which I want to pass through other's mind: {
"application": {
"manage": {
"applications": [ "kibana" ]
}
},
"roles": {
"manage": {
"names": [ "sales_*" ]
}
}
}it allows for the users that are mapped under it:
|
|
@albertzaharovits the |
|
@jaymode understood, thanks. It might come as if I am trying to complicate things, but that's not the case. |
|
It's a minor detail, but it's also the first issue I ran into while trying to implement this. An example from the rest test (*) OK, technically it's I'm going to move ahead by putting this new stuff under a but it will be simple enough to change. |
|
This has evolved a little in implementation, to the point where the role descriptor now looks like this: The privileges under (I'm ignoring index and application privileges for these examples) But that's not really an option for a minor - for the Get Role API, users expect "cluster" to be a string array. So either:
From a simplicity point of view option 1 is easier. But, we do need to work out what key to use for the object field, and I don't have any good ideas... |
|
I prefer option 1. Option 2 sounds too much of a contraption to me. How would you translate the cluster privileges that have been put with the new api, but need to be get in the old format so as not to break bwc? I have another suggestion though. We already support explicit privileges in the form of |
|
This naming thing is hard... Ideally, I think we will need to move to something like this in the longer term, as it will enable us to be more fine grained with cluster perms: But there is no bwc way i can see for how to get there. So option 1 seems to be the only route. Better names than policy? Hmmm, maybe |
This commit introduces "Application Privileges" to the X-Pack security model. Application Privileges are managed within Elasticsearch, and can be tested with the _has_privileges API, but do not grant access to any actions or resources within Elasticsearch. Their purpose is to allow applications outside of Elasticsearch to represent and store their own privileges model within Elasticsearch roles. Access to manage application privileges is handled in a new way that grants permission to specific application names only. This lays the foundation for more OLS on cluster privileges, which is implemented by allowing a cluster permission to inspect not just the action being executed, but also the request to which the action is applied. To support this, a "conditional cluster privilege" is introduced, which is like the existing cluster privilege, except that it has a Predicate over the request as well as over the action name. Specifically, this adds - GET/PUT/DELETE actions for defining application level privileges - application privileges in role definitions - application privileges in the has_privileges API - changes to the cluster permission class to support checking of request objects - a new "global" element on role definition to provide cluster object level security (only for manage application privileges) - changes to `kibana_user`, `kibana_dashboard_only_user` and `kibana_system` roles to use and manage application privileges Closes #29820 Closes #31559
The current permission model for security has the ability to secure the ability to perform an action. For the majority of
objects, this is either a all or nothing permission; a user can be granted the ability to edit all users or not be allowed to edit any user.As we develop new features, such as Application Privileges (#29820), the need to further restrict the permissions on objects becomes more apparent. In the case of application privileges, the idea here would be to restrict the set of privileges a user could perform CRUD operations on. In concrete terms, an example of this would be limiting the kibana user to only be able to perform CRUD operations on the kibana application privileges and not those of other applications such as Beats or Logstash.
A few options have been proposed and discussed. The first that @tvernum proposed is to re-use the DSL from the role mapping api within roles, so for example we'd have something like the following role to limit privilege management by the application that the privileges belong to:
{ "cluster": [ { "privileges": [ "manage_privileges" ], "rules": { "field": { "application": "kibana" } } } ] }Extending this to role management, we could envision something like the following to limit roles that could be managed:
{ "cluster": [ { "privileges": [ "manage_roles" ], "rules": { "field": { "name": "sales_*" } } } ] }@clintongormley proposed a slightly different syntax that is more condensed and may be clearer to the user:
{ "cluster": { "privileges": { "manage_privileges": { "application": "kibana" }, "other_priv": {} } } }Alternatively, we could make application privileges a top level item within a role akin to
cluster,indices, andrun_as. This would look something like:{ "application": { "manage_privileges": { "applications": [ "kibana" ] } }, "roles": { "manage": { "names": [ "sales_*" ] } } }This issue's purpose is to continue discussion and come to a conclusion for how we want to define and secure specific objects like application privileges.
The text was updated successfully, but these errors were encountered: