Serverless Search Solution - users with insufficient privileges can access API key creation flyout
jeramysoucy opened this issue · comments
Jeramy Soucy commented
Kibana version:
Serverless Search Solution
Describe the bug:
A user without any API key privileges can still access the createAPI key flyout via the home landing page in the "Add an API key" section. This is not currently an issue, as all predefined roles grant access to API keys. However, once custom roles are available, roles without any API key privileges will be possible.
Steps to reproduce:
- Add a role without any API key privileges to the roles.yml file
Example:
tester:
cluster: ['read_pipeline']
indices:
- names:
- '*'
privileges:
- 'read'
- 'view_index_metadata'
applications:
- application: 'kibana-.kibana'
privileges:
- 'read'
resources:
- '*'
- Start ES and Kibana in serverless es mode using the --ssl flag
- Log in as a test user with the role defined in step 1
- Navigate to the home page and click the
New
button in the "Add an API key" section - Give the API key a name and click the
Create API Key
button
Expected behavior:
The "Add an API key" section of the landing page should not be displayed to a user with no API key privileges.
Provide logs and/or server output (if relevant):
[2024-03-14T19:08:38.761-04:00][ERROR][plugins.security.authentication.api-key] Failed to create API key: security_exception
Root causes:
security_exception: action [cluster:admin/xpack/security/api_key/create] is unauthorized for user [test_user] with effective roles [tester], this action is granted by the cluster privileges [manage_own_api_key,manage_api_key,manage_security,all]
[2024-03-14T19:08:38.761-04:00][ERROR][http] 500 Server Error