Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Controls - Prevent API tag collisions #35881

Open
legrego opened this issue May 1, 2019 · 2 comments
Open

Feature Controls - Prevent API tag collisions #35881

legrego opened this issue May 1, 2019 · 2 comments
Labels
Feature:Security/Feature Controls Platform Security - Spaces & Role Mgmt feature controls Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@legrego
Copy link
Member

legrego commented May 1, 2019
edited
Loading

See #35841 (comment) for context.

Currently, it's possible for two features to register the same tag for securing access to API endpoints. This can lead to collisions which could cause a user to have access to API endpoints they shouldn't have access to.

Example:

//Feature 1
xpackMain.registerFeature({
   id: 'feature1',
   privileges: {
      all: { api: ['foo'] }
   }
   ...,
});

// Feature 2
xpackMain.registerFeature({
   id: 'feature2',
   privileges: {
      all: { api: ['foo'] }
   }
   ...,
});

With this configuration, a user with access to only Feature 1 would have the ability to execute Feature 2's API endpoints (and vice versa).

With the NP initiative, we should explore alternate approaches to securing endpoints in a way that does not lead to collisions.
@legrego legrego added the Feature:Security/Feature Controls Platform Security - Spaces & Role Mgmt feature controls label May 1, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security

This was referenced Jun 4, 2019
Merged
Closed
@legrego legrego added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Jun 1, 2021
@legrego
Copy link
Member Author

legrego commented Jul 22, 2021

note: Some features (like file upload) rely on the current behavior, so we want to allow for two features to grant access to the same API endpoint. Our approach should make this more explicit/intentional, however.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Security/Feature Controls Platform Security - Spaces & Role Mgmt feature controls Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@legrego @elasticmachine