[ML] Adding endpoint capability checks

x-pack/plugins/ml/common/types/capabilities.ts

@@ -7,6 +7,7 @@
 import { KibanaRequest } from 'kibana/server';
 
 export const userMlCapabilities = {
+  canAccessML: false,
   // Anomaly Detection
   canGetJobs: false,
   canGetDatafeeds: false,
@@ -38,16 +39,18 @@ export const adminMlCapabilities = {
   canCreateFilter: false,
   canDeleteFilter: false,
   // Data Frame Analytics
-  canDeleteDataFrameAnalytics: false,
   canCreateDataFrameAnalytics: false,
+  canDeleteDataFrameAnalytics: false,
   canStartStopDataFrameAnalytics: false,
 };
 
 export type UserMlCapabilities = typeof userMlCapabilities;
 export type AdminMlCapabilities = typeof adminMlCapabilities;
 export type MlCapabilities = UserMlCapabilities & AdminMlCapabilities;
 
-export const basicLicenseMlCapabilities = ['canFindFileStructure'] as Array<keyof MlCapabilities>;
+export const basicLicenseMlCapabilities = ['canAccessML', 'canFindFileStructure'] as Array<
+  keyof MlCapabilities
+>;
 
 export function getDefaultCapabilities(): MlCapabilities {
   return {
@@ -56,6 +59,23 @@ export function getDefaultCapabilities(): MlCapabilities {
   };
 }
 
+export function getPluginPrivileges() {
+  const userMlCapabilitiesKeys = Object.keys(userMlCapabilities);
+  const adminMlCapabilitiesKeys = Object.keys(adminMlCapabilities);
+  const allMlCapabilities = [...adminMlCapabilitiesKeys, ...userMlCapabilitiesKeys];
+
+  return {
+    user: {
+      ui: userMlCapabilitiesKeys,
+      api: userMlCapabilitiesKeys.map(k => `ml:${k}`),
+    },
+    admin: {
+      ui: allMlCapabilities,
+      api: allMlCapabilities.map(k => `ml:${k}`),
+    },
+  };
+}
+
 export interface MlCapabilitiesResponse {
   capabilities: MlCapabilities;
   upgradeInProgress: boolean;

x-pack/plugins/ml/server/plugin.ts

@@ -45,7 +45,7 @@ import { systemRoutes } from './routes/system';
 import { MlLicense } from '../common/license';
 import { MlServerLicense } from './lib/license';
 import { createSharedServices, SharedServices } from './shared_services';
-import { userMlCapabilities, adminMlCapabilities } from '../common/types/capabilities';
+import { getPluginPrivileges } from '../common/types/capabilities';
 import { setupCapabilitiesSwitcher } from './lib/capabilities';
 import { registerKibanaSettings } from './lib/register_settings';
 
@@ -75,8 +75,7 @@ export class MlServerPlugin implements Plugin<MlPluginSetup, MlPluginStart, Plug
   }
 
   public setup(coreSetup: CoreSetup, plugins: PluginsSetup): MlPluginSetup {
-    const userMlCapabilitiesKeys = Object.keys(userMlCapabilities);
-    const adminMlCapabilitiesKeys = Object.keys(adminMlCapabilities);
+    const { user, admin } = getPluginPrivileges();
 
     plugins.features.registerFeature({
       id: PLUGIN_ID,
@@ -98,31 +97,33 @@ export class MlServerPlugin implements Plugin<MlPluginSetup, MlPluginStart, Plug
           {
             id: 'ml_user',
             privilege: {
+              api: user.api,
               app: [PLUGIN_ID, 'kibana'],
               catalogue: [PLUGIN_ID],
               savedObject: {
                 all: [],
                 read: [],
               },
-              ui: userMlCapabilitiesKeys,
+              ui: user.ui,
             },
           },
           {
             id: 'ml_admin',
             privilege: {
+              api: admin.api,
               app: [PLUGIN_ID, 'kibana'],
               catalogue: [PLUGIN_ID],
               savedObject: {
                 all: [],
                 read: [],
               },
-              ui: [...adminMlCapabilitiesKeys, ...userMlCapabilitiesKeys],
+              ui: admin.ui,
             },
           },
         ],
       },
     });
-
+    // console.log(userMlCapabilitiesKeys.map(k => `access:${k}`));
     registerKibanaSettings(coreSetup);
 
     this.mlLicense.setup(plugins.licensing.license$, [
@@ -168,7 +169,7 @@ export class MlServerPlugin implements Plugin<MlPluginSetup, MlPluginStart, Plug
     indicesRoutes(routeInit);
     jobAuditMessagesRoutes(routeInit);
     jobRoutes(routeInit);
-    jobServiceRoutes(routeInit, { resolveMlCapabilities });
+    jobServiceRoutes(routeInit);
     notificationRoutes(routeInit);
     resultsServiceRoutes(routeInit);
     jobValidationRoutes(routeInit, this.version);

x-pack/plugins/ml/server/routes/annotations.ts

@@ -54,6 +54,9 @@ export function annotationRoutes(
       validate: {
         body: getAnnotationsSchema,
       },
+      options: {
+        tags: ['access:ml:canGetJobs'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -86,6 +89,9 @@ export function annotationRoutes(
       validate: {
         body: indexAnnotationSchema,
       },
+      options: {
+        tags: ['access:ml:canCreateJob'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -130,6 +136,9 @@ export function annotationRoutes(
       validate: {
         params: deleteAnnotationSchema,
       },
+      options: {
+        tags: ['access:ml:canCreateJob'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {

x-pack/plugins/ml/server/routes/anomaly_detectors.ts

@@ -37,6 +37,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
     {
       path: '/api/ml/anomaly_detectors',
       validate: false,
+      options: {
+        tags: ['access:ml:canGetJobs'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -65,6 +68,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
       validate: {
         params: jobIdSchema,
       },
+      options: {
+        tags: ['access:ml:canGetJobs'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -93,6 +99,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
     {
       path: '/api/ml/anomaly_detectors/_stats',
       validate: false,
+      options: {
+        tags: ['access:ml:canGetJobs'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -121,6 +130,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
       validate: {
         params: jobIdSchema,
       },
+      options: {
+        tags: ['access:ml:canGetJobs'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -154,6 +166,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
         params: jobIdSchema,
         body: schema.object(anomalyDetectionJobSchema),
       },
+      options: {
+        tags: ['access:ml:canCreateJob'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -188,6 +203,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
         params: jobIdSchema,
         body: anomalyDetectionUpdateJobSchema,
       },
+      options: {
+        tags: ['access:ml:canUpdateJob'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -220,6 +238,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
       validate: {
         params: jobIdSchema,
       },
+      options: {
+        tags: ['access:ml:canOpenJob'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -251,6 +272,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
       validate: {
         params: jobIdSchema,
       },
+      options: {
+        tags: ['access:ml:canCloseJob'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -286,6 +310,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
       validate: {
         params: jobIdSchema,
       },
+      options: {
+        tags: ['access:ml:canDeleteJob'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -319,6 +346,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
       validate: {
         body: schema.any(),
       },
+      options: {
+        tags: ['access:ml:canCreateJob'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -351,6 +381,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
         params: jobIdSchema,
         body: forecastAnomalyDetector,
       },
+      options: {
+        tags: ['access:ml:canForecastJob'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -389,6 +422,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
         params: jobIdSchema,
         body: getRecordsSchema,
       },
+      options: {
+        tags: ['access:ml:canGetJobs'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -425,6 +461,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
         params: getBucketParamsSchema,
         body: getBucketsSchema,
       },
+      options: {
+        tags: ['access:ml:canGetJobs'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -462,6 +501,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
         params: jobIdSchema,
         body: getOverallBucketsSchema,
       },
+      options: {
+        tags: ['access:ml:canGetJobs'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -496,6 +538,9 @@ export function jobRoutes({ router, mlLicense }: RouteInitialization) {
       validate: {
         params: getCategoriesSchema,
       },
+      options: {
+        tags: ['access:ml:canGetJobs'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {

x-pack/plugins/ml/server/routes/calendars.ts

@@ -52,6 +52,9 @@ export function calendars({ router, mlLicense }: RouteInitialization) {
     {
       path: '/api/ml/calendars',
       validate: false,
+      options: {
+        tags: ['access:ml:canGetCalendars'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -81,6 +84,9 @@ export function calendars({ router, mlLicense }: RouteInitialization) {
       validate: {
         params: calendarIdsSchema,
       },
+      options: {
+        tags: ['access:ml:canGetCalendars'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       let returnValue;
@@ -117,6 +123,9 @@ export function calendars({ router, mlLicense }: RouteInitialization) {
       validate: {
         body: calendarSchema,
       },
+      options: {
+        tags: ['access:ml:canCreateCalendar'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -149,6 +158,9 @@ export function calendars({ router, mlLicense }: RouteInitialization) {
         params: calendarIdSchema,
         body: calendarSchema,
       },
+      options: {
+        tags: ['access:ml:canCreateCalendar'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {
@@ -180,6 +192,9 @@ export function calendars({ router, mlLicense }: RouteInitialization) {
       validate: {
         params: calendarIdSchema,
       },
+      options: {
+        tags: ['access:ml:canDeleteCalendar'],
+      },
     },
     mlLicense.fullLicenseAPIGuard(async (context, request, response) => {
       try {