kibana icon indicating copy to clipboard operation
kibana copied to clipboard

Published 20 hours ago verified publisher icon elastic

manage_security:all privilege needed to create a runtime field

Open xgt001 opened this issue 2 years ago • 1 comments

Kibana version: 7.16.2

Elasticsearch version: 7.16.2

Server OS version: Flatcar Linux 3139.2.2

Browser version: Chrome 104.0.5112.126

Browser OS version: macOS Monterey 12.6

Original install method (e.g. download page, yum, from source, etc.): Docker Image from Elasticsearch

Describe the bug: A user is able to Create and Preview a Runtime field, but the said user is not able to save it without manage_security:all privilege. When tried to do so they are greeted with something of this sort in the console: image

Steps to reproduce:

  1. Try to create and save a runtime field without having manage_security:all privilege on your kibana role
  2. Kibana doesn't like it very much and complains about not having manage_security:all role in the console while it lets you create and preview the filter

Expected behavior: Kibana lets a user with fewer privileges create a runtime field.

Screenshots (if relevant): image

Errors in browser console (if relevant):

{"statusCode":403,"error":"Forbidden","message":"[security_exception: [security_exception] Reason: action [cluster:admin/xpack/security/role/get] is unauthorized for user [pomerium] run as [redacted] with roles [myrole], this action is granted by the cluster privileges [manage_security,all]]: action [cluster:admin/xpack/security/role/get] is unauthorized for user [pomerium] run as [readacted] with roles [myrole], this action is granted by the cluster privileges [manage_security,all]"}

Provide logs and/or server output (if relevant):

Error
    at fetch_Fetch.fetchResponse (https://foo-bar.io/46307/bundles/core/core.entry.js:8:56906)
    at async https://foo-bar.io/46307/bundles/core/core.entry.js:8:55074
    at async https://foo-bar.io/46307/bundles/core/core.entry.js:8:55031

Any additional context: To give some additional details So the above "myrole" already has the following privileges which allows them to create and preview a given runtime field:

      "feature_discover.read",
      "feature_dev_tools.read",
      "feature_indexPatterns.read",

xgt001 avatar Sep 19 '22 12:09 xgt001

Pinging @elastic/kibana-app-services (Team:AppServicesSv)

elasticmachine avatar Sep 19 '22 13:09 elasticmachine

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

elasticmachine avatar Nov 21 '22 20:11 elasticmachine

I'm not able to reproduce this bug, and I think it has to do with how your run_as permissions are set up. Can you provide more screenshots showing the whole configuration for the role, as well as any run_as permissions it has (and their associated configurations)?

Here's my role that does allow creation of runtime fields:

image image

(Notice that all Security features are disabled.)

lukasolson avatar Feb 21 '24 22:02 lukasolson

Closing this one out, feel free to comment & re-open if this is actually an issue.

lukasolson avatar Apr 24 '24 23:04 lukasolson