Beginning to use the ES APIs to insert/check privileges

x-pack/plugins/security/server/lib/authorization/create_default_roles.js

@@ -10,7 +10,7 @@
 import { getClient } from '../../../../../server/lib/get_client_shield';
 
 
-const createRoleIfDoesntExist = async (callCluster, name) => {
+const createRoleIfDoesntExist = async (callCluster, { name, application, privilege }) => {
   try {
     await callCluster('shield.getRole', { name });
   } catch (err) {
@@ -23,7 +23,13 @@ const createRoleIfDoesntExist = async (callCluster, name) => {
       body: {
         cluster: [],
         index: [],
-        // application: [ { "privileges": [ "kibana:all" ], "resources": [ "*" ] } ]
+        applications: [
+          {
+            application,
+            privileges: [ privilege ],
+            resources: [ 'default' ]
+          }
+        ]
       }
     });
   }
@@ -40,8 +46,17 @@ export async function createDefaultRoles(server) {
 
   const callCluster = getClient(server).callWithInternalUser;
 
-  const createKibanaUserRole = createRoleIfDoesntExist(callCluster, `${application}_rbac_user`);
-  const createKibanaDashboardOnlyRole = createRoleIfDoesntExist(callCluster, `${application}_rbac_dashboard_only_user`);
+  const createKibanaUserRole = createRoleIfDoesntExist(callCluster, {
+    name: `${application}_rbac_user`,
+    application,
+    privilege: 'all'
+  });
+
+  const createKibanaDashboardOnlyRole = createRoleIfDoesntExist(callCluster, {
+    name: `${application}_rbac_dashboard_only_user`,
+    application,
+    privilege: 'read'
+  });
 
   await Promise.all([createKibanaUserRole, createKibanaDashboardOnlyRole]);
 }

x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js

@@ -11,8 +11,6 @@ import { buildPrivilegeMap } from './privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
 
 export async function registerPrivilegesWithCluster(server) {
-  return;
-
   const config = server.config();
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
@@ -23,7 +21,6 @@ export async function registerPrivilegesWithCluster(server) {
 
   const callCluster = getClient(server).callWithInternalUser;
 
-  // TODO(legrego) - non-working stub
   await callCluster('shield.postPrivileges', {
     body: {
       [application]: privilegeActionMapping

x-pack/plugins/security/server/lib/privileges/privileges.js

@@ -8,49 +8,33 @@
  * Licensed under the Elastic License; you may not use this file except in compliance with the Elastic License. */
 
 export function buildPrivilegeMap(application, kibanaVersion) {
-  const readSavedObjectsPrivileges = buildSavedObjectsReadPrivileges('');
+  const readSavedObjectsPrivileges = buildSavedObjectsReadPrivileges();
 
-  const commonMetadata = {
-    kibanaVersion
-  };
-
-  function getActionName(...nameParts) {
-    return nameParts.join('/');
-  }
+  const privilegeActions = {};
 
-  const privilegeActionMap = [];
-
-  privilegeActionMap.push({
+  privilegeActions.all = {
     application,
     name: 'all',
-    actions: [getActionName('*')],
-    metadata: {
-      ...commonMetadata,
-      displayName: 'all'
-    }
-  });
-
-  privilegeActionMap.push({
+    actions: [`version:${kibanaVersion}`, 'action:*'],
+  };
+
+  privilegeActions.read = {
     application,
     name: 'read',
-    actions: [...readSavedObjectsPrivileges],
-    metadata: {
-      ...commonMetadata,
-      displayName: 'read'
-    }
-  });
-
-  return privilegeActionMap;
+    actions: [`version:${kibanaVersion}`, ...readSavedObjectsPrivileges],
+  };
+
+  return privilegeActions;
 }
 
-function buildSavedObjectsReadPrivileges(prefix) {
+function buildSavedObjectsReadPrivileges() {
   const readActions = ['get', 'mget', 'search'];
-  return buildSavedObjectsPrivileges(prefix, readActions);
+  return buildSavedObjectsPrivileges(readActions);
 }
 
-function buildSavedObjectsPrivileges(prefix, actions) {
-  const objectTypes = ['dashboard', 'visualization', 'search'];
+function buildSavedObjectsPrivileges(actions) {
+  const objectTypes = ['config', 'dashboard', 'index-pattern', 'search', 'visualization'];
   return objectTypes
-    .map(type => actions.map(action => `${prefix}/${type}/${action}`))
+    .map(type => actions.map(action => `action:saved-objects/${type}/${action}`))
     .reduce((acc, types) => [...acc, ...types], []);
 }

x-pack/plugins/security/server/lib/saved_objects_client/secure_options_builder.js

@@ -11,9 +11,12 @@ export function secureSavedObjectsClientOptionsBuilder(server, options) {
   const adminCluster = server.plugins.elasticsearch.getCluster('admin');
   const { callWithInternalUser } = adminCluster;
 
+  const config = server.config();
+
   return {
     ...options,
-    application: server.config().get('xpack.security.rbac.application'),
+    application: config.get('xpack.security.rbac.application'),
+    kibanaVersion: config.get('pkg.version'),
     callCluster: callWithInternalUser
   };
 }

x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js

@@ -17,12 +17,14 @@ export class SecureSavedObjectsClient {
       request,
       baseClient,
       application,
+      kibanaVersion,
     } = options;
 
     this.errors = baseClient.errors;
 
     this._client = baseClient;
     this._application = application;
+    this._kibanaVersion = kibanaVersion;
     this._callCluster = getClient(server).callWithRequest;
     this._request = request;
   }
@@ -48,8 +50,7 @@ export class SecureSavedObjectsClient {
   }
 
   async find(options = {}) {
-    // TODO(legrego) - need to constrain which types users can search for...
-    await this._performAuthorizationCheck(null, 'search', null, options);
+    await this._performAuthorizationCheck(options.type, 'search', null, options);
 
     return await this._client.find(options);
   }
@@ -75,22 +76,21 @@ export class SecureSavedObjectsClient {
   }
 
   async _performAuthorizationCheck(type, action, attributes = {}, options = {}) { // eslint-disable-line no-unused-vars
-    return;
-    // TODO(legrego) use ES Custom Privilege API once implemented.
-    const kibanaAction = `saved-objects/${type}/${action}`;
+    const version = `version:${this._kibanaVersion}`;
+    const kibanaAction = `action:saved-objects/${type}/${action}`;
 
     const privilegeCheck = await this._callCluster(this._request, 'shield.hasPrivileges', {
       body: {
         applications: [{
           application: this._application,
           resources: ['default'],
-          privileges: [kibanaAction]
+          privileges: [version, kibanaAction]
         }]
       }
     });
 
     if (!privilegeCheck.has_all_requested) {
-      throw Boom.unauthorized(`User ${privilegeCheck.username} is not authorized to ${action} objects of type ${type}`);
+      throw Boom.forbidden(`User ${privilegeCheck.username} is not authorized to ${action} objects of type ${type}`);
     }
   }
 }

x-pack/plugins/security/server/routes/api/v1/privileges.js

@@ -21,8 +21,8 @@ export function initPrivilegesApi(server) {
     method: 'GET',
     path: '/api/security/v1/privileges',
     handler(request, reply) {
-
-      reply(buildPrivilegeMap(application, kibanaVersion));
+      const privileges = buildPrivilegeMap(application, kibanaVersion);
+      reply(Object.values(privileges));
     }
   });
 }