[Feature Controls] - Secure Features API #35841
Conversation
legrego
added
the
Feature:Security/Feature Controls
|
Pinging @elastic/kibana-security |
💔 Build Failed |
💚 Build Succeeded |
There was a problem hiding this comment.
Adding a ui capability of featureControls.manage feels wrong here... We've tried to keep the ui capabilities to be geared towards their consumption, and there isn't a "feature controls" section of the ui itself.
IIRC, we only use the client-side FeaturesService.getFeatures() and rely on that check for the role management screen. I wonder if we should just be handling the possibility of a 404 here?
| @@ -10,6 +10,9 @@ export function featuresRoute(server: Record<string, any>) { | |||
| server.route({ | |||
| path: '/api/features/v1', | |||
| method: 'GET', | |||
| options: { | |||
| tags: ['access:manage_feature_controls'], | |||
There was a problem hiding this comment.
| tags: ['access:manage_feature_controls'], | |
| tags: ['access:features'], |
We're currently only using this API in the context of "managing feature controls", but there's potential we'll want to consume this elsewhere, hence the suggestion.
There was a problem hiding this comment.
We're currently only using this API in the context of "managing feature controls", but there's potential we'll want to consume this elsewhere, hence the suggestion.
I opted for the more specific tag name because we don't scope/namespace these by feature, so it's possible for two features to define the same access tag. That could unintentionally grant a user access to an API that they shouldn't have access to.
It is rather unlikely that another feature would register a tag called "features", so I can change this if you don't have concerns around this.
There was a problem hiding this comment.
It is rather unlikely that another feature would register a tag called "features", so I can change this if you don't have concerns around this.
It's a fair point... I still feel like "manage_feature_controls" is just the wrong tag for it though, but I don't want to be ignoring your concern for tag collisions. It feels like the point you've brought up is something that warrants more consideration.
How would you feel about renaming this to features and creating an issue for us to discuss other solutions to potentially prevent unintentional collisions. Perhaps the changes we're making to port this to the new platform will provide us more opportunities than the "tag" based approach which we're employing because of Hapi.
There was a problem hiding this comment.
That sounds good to me, I'll make it so
That's a fair criticism. I was thinking ahead (YAGNI) to use cases such as #35865, where admins would be able to control their feature controls. At that point, there could potentially be a UI in place for FC management. I'm happy to revisit this, I'm just documenting my thought process.
Yep - it's used on the Spaces Management screen too.
I had something like this in my first implementation, but it felt "off" to me: async function getFeatures() {
try {
return kfetch('/api/features/v1');
} catch (e) {
if (/*is404*/) {
return [];
}
// else ?
}
}It's not clear to the casual maintainer why this documented API endpoint would ever come back with a 404. I felt that guarding this behind a UI Capability was at least a bit more readable. I could improve readability with a comment, but that feels like I'm explaining away a poor implementation. Given all that, what are your thoughts? |
In that situation, we wouldn't want to be using this ui capability to not load the features for the spaces management though, right? We'll have users which are able to create spaces because of the global base
Isn't this preempted by the user not having
I agree that the 404 could be easily misinterpreted. Another option is to start throwing 403s in these situations, which would disclose the existence of the API, but make it more understandable. If we want to continue using ui capabilities, it feels like they should be scoped to the consumption, like we've done elsewhere. So we could potentially add a |
good point.
Not with the current order of operations, but it could be done.
I'm thinking maybe we don't use ui capabilities for this then. I could do away with all of this by changing the initialization order for these screens. Instead of loading the features in angular-land, I can load them in React-land once we determine that the user isn't going to see an Unauthorized prompt or disabled section. |
I'm not opposed to either of these! Thanks for putting up with my pedantic wishes. |
…to features api" This reverts commit addc149.
💔 Build Failed |
|
The build is going to fail with a CI connection error 😢 |
💔 Build Failed |
|
retest |
💔 Build Failed |
💔 Build Failed |
💚 Build Succeeded |
* restrict access to Features API * introduce featureControls.manage capability to control calls to features api * add snapshots * rename manage_feature_controls api tag to features * Revert "introduce featureControls.manage capability to control calls to features api" This reverts commit addc149. * update spaces management to only call APIs if authorized * handle 404 response when requesting features on role management page * better variable naming * remove unnecessary mock * remove unused code * remove unnecessary snapshots
legrego
added
the
release_note:skip
* restrict access to Features API * introduce featureControls.manage capability to control calls to features api * add snapshots * rename manage_feature_controls api tag to features * Revert "introduce featureControls.manage capability to control calls to features api" This reverts commit addc149. * update spaces management to only call APIs if authorized * handle 404 response when requesting features on role management page * better variable naming * remove unnecessary mock * remove unused code * remove unnecessary snapshots
Assigned features due to elastic#35841 Assigned file_upload due to https://github.com/elastic/kibana/blob/c79f0ae78633c81beebd3f95735326cc872be7f6/x-pack/plugins/file_upload/kibana.jsonc#L4 Assigned grok debugger due to https://github.com/elastic/kibana/blob/c79f0ae78633c81beebd3f95735326cc872be7f6/x-pack/plugins/grokdebugger/kibana.jsonc#L4 Assigned stats due to https://github.com/elastic/kibana/blob/c79f0ae78633c81beebd3f95735326cc872be7f6/src/plugins/usage_collection/kibana.jsonc#L4 - and I found the GET route within `src/plugins/usage_collection/server/routes/stats/stats.ts` Assigned kql_telemetry due to https://github.com/elastic/kibana/blob/3bfa7c00181599541c924d36b593205fd5d9fed4/src/plugins/data/kibana.jsonc#L4 - the service is exposed here: `src/plugins/data/server/kql_telemetry/kql_telemetry_service.ts` Contributes to: elastic#194817
…196709) ## Summary Assign ownership to some files that hopefully result in less than 5 reviewers ### Assignment Reasons Assigned features due to #35841 Assigned file_upload due to https://github.com/elastic/kibana/blob/c79f0ae78633c81beebd3f95735326cc872be7f6/x-pack/plugins/file_upload/kibana.jsonc#L4 Assigned grok debugger due to https://github.com/elastic/kibana/blob/c79f0ae78633c81beebd3f95735326cc872be7f6/x-pack/plugins/grokdebugger/kibana.jsonc#L4 Assigned stats due to https://github.com/elastic/kibana/blob/c79f0ae78633c81beebd3f95735326cc872be7f6/src/plugins/usage_collection/kibana.jsonc#L4 - and I found the GET route within `src/plugins/usage_collection/server/routes/stats/stats.ts` Assigned kql_telemetry due to https://github.com/elastic/kibana/blob/3bfa7c00181599541c924d36b593205fd5d9fed4/src/plugins/data/kibana.jsonc#L4 - the service is exposed here: `src/plugins/data/server/kql_telemetry/kql_telemetry_service.ts` Contributes to: #194817 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Summary
Secures access to the
/api/features/v1API endpoint by requiring "Global All" privileges (those granted bykibana_user).Prior to this change, any user could access the endpoint to get a list of features. The Role Management and Spaces Management screens relied on this behavior when rendering. Once the endpoint was secured, these screens crashed on render for underprivileged users.
To solve this,
xpack_mainintroduces afeatureControls.manageUI Capability, which is consistent withspace'sspaces.manageUI Capability. Additionally,xpack_mainexposes a simple client-side service to allow consumers to safely get the list of features if the user is able to do so.