Permission problem "*" vs "all" - Kibana report generation #170003

3kt · 2023-10-27T08:30:33Z

Kibana version: 8.10.4

Elasticsearch version: 8.10.4

Server OS version: Ubuntu 20.04

Browser version: Brave 1.59.122

Browser OS version: MacOs Ventura 13.6

Original install method (e.g. download page, yum, from source, etc.): apt-get

Describe the bug:

The permissions listed in the documentation do not allow the generation of pdf reports with watcher. More precisely, the all permission on Kibana scope isn't enough, and * permission is required instead.

Steps to reproduce:

Follow the documentation steps for reporting configuration and watcher automation configuration
Manually run the watcher (POST /_watcher/watch/[watcher_id]/_execute), you will be greeted with a permission error:

Extending the permissions to all on Kibana will not solve the issue:

  "applications": [
    {
      "application": "kibana-.kibana",
      "privileges": [
        "all"
      ],
      "resources": [
        "*"
      ]
    }
  ],

However, granting * permission on Kibana will:

  "applications": [
    {
      "application": "kibana-.kibana",
      "privileges": [
        "*"
      ],
      "resources": [
        "*"
      ]
    }
  ],

Expected behavior: documentation should accurately list the required permissions, and all privilege should grant report generation permission.

Screenshots (if relevant): inline in steps description

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context:

This has multiple layers to it:

Documentation seems to be wrong / out of date
Why does * permission grant accesses that all doesn't?

The text was updated successfully, but these errors were encountered:

elasticmachine · 2023-10-27T15:52:26Z

Pinging @elastic/appex-sharedux (Team:SharedUX)

TheRiffRafi · 2023-12-11T23:54:04Z

Hello @3kt could you help us with some clarification on your reported config?
Did you set the following option on the kibana.yml file before trying to access reporting with "All" privilege?

xpack.reporting.roles.enabled: false

It is the first config shown on the documentation you linked. I tried to reproduce the issue and I was seeing the same issue but I realized I hadn't set that Kibana option.

3kt · 2023-12-12T21:50:50Z

@TheRiffRafi Unfortunately I don't have access to the configuration anymore, as this was deployed by a customer...

3kt added the bug Fixes for quality problems that affect the customer experience label Oct 27, 2023

botelastic bot added the needs-team Issues missing a team label label Oct 27, 2023

jsanz added (Deprecated) Feature:Reporting Use Reporting:Screenshot, Reporting:CSV, or Reporting:Framework instead docs Team:SharedUX Team label for AppEx-SharedUX (formerly Global Experience) labels Oct 27, 2023

botelastic bot removed the needs-team Issues missing a team label label Oct 27, 2023

petrklapka assigned eokoneyo Oct 30, 2023

petrklapka added the SharedUX/fix-it-week Bugs that have been groomed and queued up for the team's next fix it week label Jul 18, 2024

tsullivan added Feature:Reporting:Framework Reporting issues pertaining to the overall framework and removed (Deprecated) Feature:Reporting Use Reporting:Screenshot, Reporting:CSV, or Reporting:Framework instead labels Aug 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Permission problem "*" vs "all" - Kibana report generation #170003

Permission problem "*" vs "all" - Kibana report generation #170003

3kt commented Oct 27, 2023

elasticmachine commented Oct 27, 2023

TheRiffRafi commented Dec 11, 2023

3kt commented Dec 12, 2023

Permission problem "*" vs "all" - Kibana report generation #170003

Permission problem "*" vs "all" - Kibana report generation #170003

Comments

3kt commented Oct 27, 2023

elasticmachine commented Oct 27, 2023

TheRiffRafi commented Dec 11, 2023

3kt commented Dec 12, 2023